Refactors Patrole framework to only use admin tenant credential type.

This patch adds following capablities to RBAC tempest framework: 1. Restricts admin only tenant to be used for rbac as much as possible, and thus removes need of creating additional tenant with "primary" credential type. 2. Patrole framework requires "tempest_roles" value in the conf file to be set to "admin" role. Which again restricts tempest.conf to a hardcoded value. This patch takes care of this problem also. Note: Adding this patch will required some cleanup and refactoring in test files, which will be taken care in separate commits component wise. Co-Authored-By: Mh Raies <mh.raies@ericsson.com> Co-Authored-By: Felipe Monteiro <felipe.monteiro@att.com> Implements bp: modifying-switching-role-mechanism Closes-Bug: #1664600 Closes-Bug: #1664278 Change-Id: Ic665d35332def6b6ec7b0065d1ebe65514a926b9
2017-03-02 17:01:37 -05:00
parent 103038fa47
commit 34a138c4b5
80 changed files with 489 additions and 687 deletions
--- a/patrole_tempest_plugin/rbac_utils.py
+++ b/patrole_tempest_plugin/rbac_utils.py
@@ -13,19 +13,19 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-import json
 import six
 import time
-import urllib3
+
+from tempest.common import credentials_factory
+from tempest import config
+from tempest.test import BaseTestCase

 from oslo_log import log as logging
-from tempest import config

-from patrole_tempest_plugin import rbac_exceptions as rbac_exc
+from patrole_tempest_plugin import rbac_exceptions

-LOG = logging.getLogger(__name__)
 CONF = config.CONF
-http = urllib3.PoolManager()
+LOG = logging.getLogger(__name__)


 class Singleton(type):
@@ -40,89 +40,64 @@ class Singleton(type):

@six.add_metaclass(Singleton)
 class RbacUtils(object):
-    def __init__(self):
-        RbacUtils.dictionary = {}

-    @staticmethod
-    def get_roles(caller):
-        admin_role_id = None
-        rbac_role_id = None
+    def __init__(cls):
+        creds_provider = credentials_factory.get_credentials_provider(
+            name=__name__,
+            force_tenant_isolation=True,
+            identity_version=BaseTestCase.get_identity_version())

-        if bool(RbacUtils.dictionary) is False:
-            admin_token = caller.admin_client.token
-            headers = {'X-Auth-Token': admin_token,
-                       "Content-Type": "application/json"}
-            url_to_get_role = CONF.identity.uri_v3 + '/roles/'
-            response = http.request('GET', url_to_get_role, headers=headers)
-            if response.status != 200:
-                raise rbac_exc.RbacResourceSetupFailed('Unable to'
-                                                       ' retrieve roles')
-            data = response.data
-            roles = json.loads(data)
-            for item in roles['roles']:
-                if item['name'] == CONF.rbac.rbac_test_role:
-                    rbac_role_id = item['id']
-                if item['name'] == 'admin':
-                    admin_role_id = item['id']
+        cls.creds_client = creds_provider.creds_client
+        cls.available_roles = cls.creds_client.roles_client.list_roles()
+        cls.admin_role_id = cls.rbac_role_id = None
+        for item in cls.available_roles['roles']:
+            if item['name'] == CONF.rbac.rbac_test_role:
+                cls.rbac_role_id = item['id']
+            if item['name'] == 'admin':
+                cls.admin_role_id = item['id']
+        # Check if admin and rbac role exits
+        if not cls.admin_role_id or not cls.rbac_role_id:
+            msg = ("defined 'rbac_role' or 'admin' role does not exist"
+                   " in the system.")
+            raise rbac_exceptions.RbacResourceSetupFailed(msg)

-            RbacUtils.dictionary.update({'admin_role_id': admin_role_id,
-                                         'rbac_role_id': rbac_role_id})
+    def clear_user_roles(cls, user_id, tenant_id):
+        roles = cls.creds_client.roles_client.list_user_roles_on_project(
+            tenant_id, user_id)['roles']

-        return RbacUtils.dictionary
+        for role in roles:
+            cls.creds_client.roles_client.delete_role_from_user_on_project(
+                tenant_id, user_id, role['id'])

-    @staticmethod
-    def delete_all_roles(self, base_url, headers):
-        # Find the current role
-        response = http.request('GET', base_url, headers=headers)
-        if response.status != 200:
-            raise rbac_exc.RbacResourceSetupFailed('Unable to retrieve'
-                                                   ' user role')
-        data = response.data
-        roles = json.loads(data)
-        for item in roles['roles']:
-            url = base_url + item['id']
-            response = http.request('DELETE', url, headers=headers)
-            self.assertEqual(204, response.status)
-
-    @staticmethod
-    def switch_role(self, switchToRbacRole=None):
+    def switch_role(cls, test_obj, switchToRbacRole=None):
        LOG.debug('Switching role to: %s', switchToRbacRole)
-        if switchToRbacRole is None:
-            return
-
-        roles = rbac_utils.get_roles(self)
-        rbac_role_id = roles.get('rbac_role_id')
-        admin_role_id = roles.get('admin_role_id')
+        if not isinstance(switchToRbacRole, bool):
+            msg = ("Wrong value for parameter 'switchToRbacRole' is passed."
+                   " It should be either 'True' or 'False'.")
+            raise rbac_exceptions.RbacActionFailed(msg)

        try:
-            user_id = self.auth_provider.credentials.user_id
-            project_id = self.auth_provider.credentials.tenant_id
-            admin_token = self.admin_client.token
+            user_id = test_obj.auth_provider.credentials.user_id
+            project_id = test_obj.auth_provider.credentials.tenant_id

-            headers = {'X-Auth-Token': admin_token,
-                       "Content-Type": "application/json"}
-            base_url = (CONF.identity.uri_v3 + '/projects/' + project_id +
-                        '/users/' + user_id + '/roles/')
-
-            rbac_utils.delete_all_roles(self, base_url, headers)
+            cls.clear_user_roles(user_id, project_id)

            if switchToRbacRole:
-                url = base_url + rbac_role_id
-                response = http.request('PUT', url, headers=headers)
-                self.assertEqual(204, response.status)
+                cls.creds_client.roles_client.create_user_role_on_project(
+                    project_id, user_id, cls.rbac_role_id)
            else:
-                url = base_url + admin_role_id
-                response = http.request('PUT', url, headers=headers)
-                self.assertEqual(204, response.status)
+                cls.creds_client.roles_client.create_user_role_on_project(
+                    project_id, user_id, cls.admin_role_id)

        except Exception as exp:
            LOG.error(exp)
            raise
-        finally:
-                self.auth_provider.clear_auth()
-                # Sleep to avoid 401 errors caused by rounding
-                # In timing of fernet token creation
-                time.sleep(1)
-                self.auth_provider.set_auth()

-rbac_utils = RbacUtils()
+        finally:
+            test_obj.auth_provider.clear_auth()
+            # Sleep to avoid 401 errors caused by rounding
+            # In timing of fernet token creation
+            time.sleep(1)
+            test_obj.auth_provider.set_auth()
+
+rbac_utils = RbacUtils
--- a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_password_rbac.py
@@ -20,7 +20,6 @@ from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base


@@ -30,7 +29,7 @@ CONF = config.CONF
 class PasswordAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(PasswordAdminRbacTest, self).tearDown()

    @classmethod
@@ -56,7 +55,7 @@ class PasswordAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        service="nova", rule="os_compute_api:os-admin-password")
    @decorators.idempotent_id('908a7d59-3a66-441c-94cf-38e57ed14956')
    def test_change_server_password(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.change_password(
            self.server_id,
            adminPass=data_utils.rand_password())
@@ -65,5 +64,5 @@ class PasswordAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        service="nova", rule="os_compute_api:os-admin-password:discoverable")
    @decorators.idempotent_id('379fce8a-f1ff-11e6-bc64-92361f002671')
    def test_admin_password_discoverable(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.extensions_client.show_extension('os-admin-password')
--- a/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/admin/test_admin_server_actions_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base


@@ -27,7 +26,7 @@ CONF = config.CONF
 class ServersAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ServersAdminRbacTest, self).tearDown()

    @classmethod
@@ -52,7 +51,7 @@ class ServersAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        rule="os_compute_api:os-admin-actions:reset_state")
    @decorators.idempotent_id('ae84dd0b-f364-462e-b565-3457f9c019ef')
    def test_reset_server_state(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.reset_state(self.server_id, state='error')
        self.addCleanup(self.client.reset_state,
                        self.server_id,
@@ -63,7 +62,7 @@ class ServersAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        rule="os_compute_api:os-admin-actions:inject_network_info")
    @decorators.idempotent_id('ce48c340-51c1-4cff-9b6e-0cc5ef008630')
    def test_inject_network_info(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.inject_network_info(self.server_id)

    @rbac_rule_validation.action(
@@ -71,7 +70,7 @@ class ServersAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        rule="os_compute_api:os-admin-actions:reset_network")
    @decorators.idempotent_id('2911a242-15c4-4fcb-80d5-80a8930661b0')
    def test_reset_network(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.reset_network(self.server_id)

    @rbac_rule_validation.action(
@@ -79,5 +78,5 @@ class ServersAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        rule="os_compute_api:os-admin-actions:discoverable")
    @decorators.idempotent_id('e9d2991f-a05e-4116-881b-e2a82bb173cf')
    def test_admin_actions_discoverable(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.extensions_client.show_extension('os-admin-actions')
--- a/patrole_tempest_plugin/tests/api/compute/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/compute/rbac_base.py
@@ -17,11 +17,13 @@ from tempest.lib.common.utils import test_utils
 from tempest.api.compute import base as compute_base
 from tempest import config

+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
 CONF = config.CONF


 class BaseV2ComputeRbacTest(compute_base.BaseV2ComputeTest):
-    credentials = ['primary', 'admin']
+    credentials = ['admin']

    @classmethod
    def skip_checks(cls):
@@ -29,20 +31,23 @@ class BaseV2ComputeRbacTest(compute_base.BaseV2ComputeTest):
        if not CONF.rbac.rbac_flag:
            raise cls.skipException(
                '%s skipped as RBAC flag not enabled' % cls.__name__)
-        if 'admin' not in CONF.auth.tempest_roles:
-            raise cls.skipException(
-                "%s skipped because tempest roles is not admin" % cls.__name__)
+
+    @classmethod
+    def setup_credentials(cls):
+        super(BaseV2ComputeRbacTest, cls).setup_credentials()
+        cls.os = cls.os_adm

    @classmethod
    def setup_clients(cls):
        super(BaseV2ComputeRbacTest, cls).setup_clients()
        cls.admin_client = cls.os_admin.agents_client
        cls.auth_provider = cls.os.auth_provider
+        cls.rbac_utils = rbac_utils()


 class BaseV2ComputeAdminRbacTest(compute_base.BaseV2ComputeAdminTest):

-    credentials = ['primary', 'admin']
+    credentials = ['admin']

    @classmethod
    def skip_checks(cls):
@@ -50,15 +55,18 @@ class BaseV2ComputeAdminRbacTest(compute_base.BaseV2ComputeAdminTest):
        if not CONF.rbac.rbac_flag:
            raise cls.skipException(
                '%s skipped as RBAC flag not enabled' % cls.__name__)
-        if 'admin' not in CONF.auth.tempest_roles:
-            raise cls.skipException(
-                "%s skipped because tempest roles is not admin" % cls.__name__)
+
+    @classmethod
+    def setup_credentials(cls):
+        super(BaseV2ComputeAdminRbacTest, cls).setup_credentials()
+        cls.os = cls.os_adm

    @classmethod
    def setup_clients(cls):
        super(BaseV2ComputeAdminRbacTest, cls).setup_clients()
        cls.admin_client = cls.os_admin.agents_client
        cls.auth_provider = cls.os.auth_provider
+        cls.rbac_utils = rbac_utils()

    @classmethod
    def resource_setup(cls):
--- a/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_agents_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -26,7 +25,7 @@ CONF = config.CONF
 class AgentsRbacTest(rbac_base.BaseV2ComputeRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(AgentsRbacTest, self).tearDown()

    @classmethod
@@ -40,5 +39,5 @@ class AgentsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova", rule="os_compute_api:os-agents")
    @decorators.idempotent_id('d1bc6d97-07f5-4f45-ac29-1c619a6a7e27')
    def test_list_agents_rbac(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.agents_client.list_agents()
--- a/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_aggregates_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -28,7 +27,7 @@ CONF = config.CONF
 class AggregatesRbacTest(rbac_base.BaseV2ComputeRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(AggregatesRbacTest, self).tearDown()

    @classmethod
@@ -65,7 +64,7 @@ class AggregatesRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova", rule="os_compute_api:os-aggregates:create")
    @decorators.idempotent_id('ba754393-896e-434a-9704-452ff4a84f3f')
    def test_create_aggregate_rbac(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_aggregate()

    @rbac_rule_validation.action(
@@ -73,14 +72,14 @@ class AggregatesRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('8fb0b749-b120-4727-b3fb-bcfa3fa6f55b')
    def test_show_aggregate_rbac(self):
        aggregate_id = self._create_aggregate()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.aggregates_client.show_aggregate(aggregate_id)

    @rbac_rule_validation.action(
        service="nova", rule="os_compute_api:os-aggregates:index")
    @decorators.idempotent_id('146284da-5dd6-4c97-b598-42b480f014c6')
    def test_list_aggregate_rbac(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.aggregates_client.list_aggregates()['aggregates']

    @rbac_rule_validation.action(
@@ -88,7 +87,7 @@ class AggregatesRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('c94e0d69-99b6-477e-b301-2cd0e9d0ad81')
    def test_update_aggregate_rbac(self):
        aggregate_id = self._create_aggregate()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        new_name = data_utils.rand_name('aggregate')
        self.aggregates_client.update_aggregate(aggregate_id, name=new_name)

@@ -97,7 +96,7 @@ class AggregatesRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('5a50c5a6-0f12-4405-a1ce-2288ae895ea6')
    def test_delete_aggregate_rbac(self):
        aggregate_id = self._create_aggregate()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.aggregates_client.delete_aggregate(aggregate_id)

    @rbac_rule_validation.action(
@@ -105,7 +104,7 @@ class AggregatesRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('97e6e9df-5291-4faa-8147-755b2d1f1ce2')
    def test_add_host_to_aggregate_rbac(self):
        aggregate_id = self._create_aggregate()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._add_host_to_aggregate(aggregate_id)

    @rbac_rule_validation.action(
@@ -114,7 +113,7 @@ class AggregatesRbacTest(rbac_base.BaseV2ComputeRbacTest):
    def test_remove_host_from_aggregate_rbac(self):
        aggregate_id = self._create_aggregate()
        host_name = self._add_host_to_aggregate(aggregate_id)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.aggregates_client.remove_host(aggregate_id, host=host_name)

    @rbac_rule_validation.action(
@@ -124,7 +123,7 @@ class AggregatesRbacTest(rbac_base.BaseV2ComputeRbacTest):
        aggregate_id = self._create_aggregate()
        rand_key = data_utils.rand_name('key')
        rand_val = data_utils.rand_name('val')
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.aggregates_client.set_metadata(
            aggregate_id,
            metadata={rand_key: rand_val})
--- a/patrole_tempest_plugin/tests/api/compute/test_assisted_volume_snapshot_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_assisted_volume_snapshot_rbac.py
@@ -14,7 +14,6 @@
 #    under the License.

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 from tempest.lib.common.utils import data_utils
@@ -35,7 +34,7 @@ class AssistedVolumeSnapshotRbacTest(rbac_base.BaseV2ComputeRbacTest):

    def tearDown(self):
        """Cleanup and reset RBAC role."""
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(AssistedVolumeSnapshotRbacTest, self).tearDown()

    def _create_and_attach(self):
@@ -55,7 +54,7 @@ class AssistedVolumeSnapshotRbacTest(rbac_base.BaseV2ComputeRbacTest):
        RBAC test for assisted volume snapshot role-create
        """
        self._create_and_attach()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.assisted_volume_snapshot_client.\
            create_volume_attachments(self.volume['id'],
                                      data_utils.rand_uuid())
@@ -74,6 +73,6 @@ class AssistedVolumeSnapshotRbacTest(rbac_base.BaseV2ComputeRbacTest):
        snapshot_id = data_utils.rand_uuid()
        self.assisted_volume_snapshot_client.\
            create_volume_attachments(self.volume['id'], snapshot_id)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.assisted_volume_snapshot_client.\
            delete_volume_attachments(snapshot_id, self.volume['id'])
--- a/patrole_tempest_plugin/tests/api/compute/test_attach_interfaces_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_attach_interfaces_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -57,7 +56,7 @@ class AttachInterfacesRbacTest(rbac_base.BaseV2ComputeRbacTest):
        cls.server = cls.create_test_server(wait_until='ACTIVE')

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(AttachInterfacesRbacTest, self).tearDown()

    def _attach_interface_to_server(self):
@@ -77,7 +76,7 @@ class AttachInterfacesRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova",
        rule="os_compute_api:os-attach-interfaces")
    def test_list_interfaces(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_interfaces(self.server['id'])['interfaceAttachments']

    @decorators.idempotent_id('d2d3a24d-4738-4bce-a287-36d664746cde')
@@ -85,7 +84,7 @@ class AttachInterfacesRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova",
        rule="os_compute_api:os-attach-interfaces:create")
    def test_create_interface(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._attach_interface_to_server()

    @decorators.idempotent_id('55b05692-ed44-4608-a84c-cd4219c82799')
@@ -94,5 +93,5 @@ class AttachInterfacesRbacTest(rbac_base.BaseV2ComputeRbacTest):
        rule="os_compute_api:os-attach-interfaces:delete")
    def test_delete_interface(self):
        interface = self._attach_interface_to_server()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.delete_interface(self.server['id'], interface['port_id'])
--- a/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_availability_zone_rbac.py
@@ -15,7 +15,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -24,7 +23,7 @@ CONF = config.CONF
 class NovaAvailabilityZoneRbacTest(rbac_base.BaseV2ComputeRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(NovaAvailabilityZoneRbacTest, self).tearDown()

    @classmethod
@@ -38,12 +37,12 @@ class NovaAvailabilityZoneRbacTest(rbac_base.BaseV2ComputeRbacTest):
                                 "os-availability-zone:list")
    @decorators.idempotent_id('cd34e7ea-d26e-4fa3-a8d0-f8883726ce3d')
    def test_get_availability_zone_list_rbac(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.os.availability_zone_client.list_availability_zones()

    @rbac_rule_validation.action(service="nova", rule="os_compute_api:"
                                 "os-availability-zone:detail")
    @decorators.idempotent_id('2f61c191-6ece-4f21-b487-39d749e3d38e')
    def test_get_availability_zone_list_detail_rbac(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.os.availability_zone_client.list_availability_zones(detail=True)
--- a/patrole_tempest_plugin/tests/api/compute/test_config_drive_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_config_drive_rbac.py
@@ -17,7 +17,6 @@ from tempest.lib import decorators
 from tempest import test

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base


@@ -37,7 +36,7 @@ class ConfigDriveRbacTest(rbac_base.BaseV2ComputeRbacTest):
            raise cls.skipException(msg)

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ConfigDriveRbacTest, self).tearDown()

    @decorators.idempotent_id('55c62ef7-b72b-4970-acc6-05b0a4316e5d')
@@ -45,7 +44,7 @@ class ConfigDriveRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova",
        rule="os_compute_api:os-config-drive")
    def test_create_test_server_with_config_drive(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # NOTE(felipemonteiro): This policy action is always enforced,
        # regardless whether the config_drive flag is set to true or false.
        # However, it has been explicitly set to true below, in case that this
--- a/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_deferred_delete_rbac.py
@@ -16,7 +16,6 @@
 from tempest import test

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base


@@ -41,14 +40,14 @@ class DeferredDeleteRbacTest(rbac_base.BaseV2ComputeRbacTest):
        cls.server = cls.create_test_server(wait_until='ACTIVE')

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(DeferredDeleteRbacTest, self).tearDown()

    @rbac_rule_validation.action(
        service="nova",
        rule="os_compute_api:os-deferred-delete")
    def test_force_delete_server(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Force-deleting a server enforces os-deferred-delete according to the
        # following API: https://github.com/openstack/nova/blob/master/nova/api
        # /openstack/compute/deferred_delete.py
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_access_rbac.py
@@ -22,7 +22,6 @@ from tempest.lib import exceptions

 from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -50,7 +49,7 @@ class FlavorAccessAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        cls.tenant_id = cls.auth_provider.credentials.tenant_id

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(FlavorAccessAdminRbacTest, self).tearDown()

    @decorators.idempotent_id('a2bd3740-765d-4c95-ac98-9e027378c75e')
@@ -58,7 +57,7 @@ class FlavorAccessAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        service="nova",
        rule="os_compute_api:os-flavor-access")
    def test_list_flavor_access(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        try:
            self.client.list_flavor_access(self.flavor_id)
        except exceptions.NotFound as e:
@@ -72,7 +71,7 @@ class FlavorAccessAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        service="nova",
        rule="os_compute_api:os-flavor-access:add_tenant_access")
    def test_add_flavor_access(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.add_flavor_access(
            flavor_id=self.flavor_id, tenant_id=self.tenant_id)
        self.addCleanup(self.client.remove_flavor_access,
@@ -88,6 +87,6 @@ class FlavorAccessAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
                        self.client.remove_flavor_access,
                        flavor_id=self.flavor_id, tenant_id=self.tenant_id)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.remove_flavor_access(
            flavor_id=self.flavor_id, tenant_id=self.tenant_id)
--- a/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_flavor_extra_specs_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib import decorators
 from tempest import test

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base


@@ -49,7 +48,7 @@ class FlavorExtraSpecsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        super(FlavorExtraSpecsAdminRbacTest, cls).resource_cleanup()

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(FlavorExtraSpecsAdminRbacTest, self).tearDown()

    def _set_flavor_extra_spec(self):
@@ -69,7 +68,7 @@ class FlavorExtraSpecsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        rule="os_compute_api:os-flavor-extra-specs:show")
    def test_show_flavor_extra_spec(self):
        key = self._set_flavor_extra_spec()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_flavor_extra_spec(self.flavor['id'], key)[key]

    @decorators.idempotent_id('fcffeca2-ed04-4e85-bf93-02fb5643f22b')
@@ -77,7 +76,7 @@ class FlavorExtraSpecsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        service="nova",
        rule="os_compute_api:os-flavor-extra-specs:create")
    def test_set_flavor_extra_spec(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._set_flavor_extra_spec()

    @decorators.idempotent_id('42b85279-6bfa-4f58-b7a2-258c284f03c5')
@@ -86,7 +85,7 @@ class FlavorExtraSpecsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        rule="os_compute_api:os-flavor-extra-specs:update")
    def test_update_flavor_extra_spec(self):
        key = self._set_flavor_extra_spec()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        update_val = data_utils.rand_name('val')
        self.client.update_flavor_extra_spec(self.flavor['id'], key,
                                             **{key: update_val})[key]
@@ -97,7 +96,7 @@ class FlavorExtraSpecsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        rule="os_compute_api:os-flavor-extra-specs:delete")
    def test_unset_flavor_extra_spec(self):
        key = self._set_flavor_extra_spec()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.unset_flavor_extra_spec(self.flavor['id'], key)

    @decorators.idempotent_id('02c3831a-3ce9-476e-a722-d805ac2da621')
@@ -106,5 +105,5 @@ class FlavorExtraSpecsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        rule="os_compute_api:os-flavor-extra-specs:index")
    def test_list_flavor_extra_specs(self):
        self._set_flavor_extra_spec()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_flavor_extra_specs(self.flavor['id'])['extra_specs']
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ip_pools_rbac.py
@@ -18,7 +18,6 @@ from tempest.lib import decorators
 from tempest import test

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -45,7 +44,7 @@ class FloatingIpPoolsRbacTest(rbac_base.BaseV2ComputeRbacTest):
            raise cls.skipException(msg)

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(FloatingIpPoolsRbacTest, self).tearDown()

    @decorators.idempotent_id('c1a17153-b25d-4444-a721-5897d7737482')
@@ -53,5 +52,5 @@ class FloatingIpPoolsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova",
        rule="os_compute_api:os-floating-ip-pools")
    def test_list_floating_ip_pools(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_floating_ip_pools()['floating_ip_pools']
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_bulk_rbac.py
@@ -18,7 +18,6 @@ from tempest.lib import decorators
 from tempest import test

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -45,7 +44,7 @@ class FloatingIpsBulkRbacTest(rbac_base.BaseV2ComputeRbacTest):
            raise cls.skipException(msg)

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(FloatingIpsBulkRbacTest, self).tearDown()

    @decorators.idempotent_id('3b5c8a02-005d-4256-8a95-6fa2f389c6cf')
@@ -53,5 +52,5 @@ class FloatingIpsBulkRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova",
        rule="os_compute_api:os-floating-ips-bulk")
    def test_list_floating_ips_bulk(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_floating_ips_bulk()['floating_ip_info']
--- a/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_floating_ips_rbac.py
@@ -18,7 +18,6 @@ from tempest.lib import decorators
 from tempest import test

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -45,7 +44,7 @@ class FloatingIpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
            raise cls.skipException(msg)

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(FloatingIpsRbacTest, self).tearDown()

    @decorators.idempotent_id('ac1b3053-f755-4cda-85a0-30e88b88d7ba')
@@ -53,5 +52,5 @@ class FloatingIpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova",
        rule="os_compute_api:os-floating-ips")
    def test_list_floating_ips(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_floating_ips()['floating_ips']
--- a/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_hosts_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -38,7 +37,7 @@ class HostsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
                '%s skipped as no compute extensions enabled' % cls.__name__)

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(HostsAdminRbacTest, self).tearDown()

    @decorators.idempotent_id('035b7935-2fae-4218-8d37-27fa83097494')
@@ -46,5 +45,5 @@ class HostsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        service="nova",
        rule="os_compute_api:os-hosts")
    def test_list_hosts(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_hosts()['hosts']
--- a/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_hypervisor_rbac.py
@@ -17,7 +17,6 @@ from tempest.lib import decorators
 from tempest import test

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base


@@ -37,7 +36,7 @@ class HypervisorAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
            raise cls.skipException(msg)

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(HypervisorAdminRbacTest, self).tearDown()

    @decorators.idempotent_id('17bbeb9a-e73e-445f-a771-c794448ef562')
@@ -45,5 +44,5 @@ class HypervisorAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        service="nova",
        rule="os_compute_api:os-hypervisors")
    def test_list_hypervisors(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_hypervisors()['hypervisors']
--- a/patrole_tempest_plugin/tests/api/compute/test_instance_actions.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_instance_actions.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -44,7 +43,7 @@ class InstanceActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        cls.request_id = cls.server.response['x-compute-request-id']

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(InstanceActionsRbacTest, self).tearDown()

    @decorators.idempotent_id('9d1b131d-407e-4fa3-8eef-eb2c4526f1da')
--- a/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_instance_usages_audit_log_rbac.py
@@ -17,7 +17,6 @@ from tempest.lib import decorators
 from tempest import test

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base


@@ -38,13 +37,13 @@ class InstanceUsagesAuditLogAdminRbacTest(
        cls.client = cls.instance_usages_audit_log_client

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(InstanceUsagesAuditLogAdminRbacTest, self).tearDown()

    @decorators.idempotent_id('c80246c0-5c13-4ab0-97ba-91551cd53dc1')
    @rbac_rule_validation.action(
        service="nova", rule="os_compute_api:os-instance-usage-audit-log")
    def test_list_instance_usage_audit_logs(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_instance_usage_audit_logs()
        ["instance_usage_audit_logs"]
--- a/patrole_tempest_plugin/tests/api/compute/test_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_ips_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -51,7 +50,7 @@ class IpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        cls.server = cls.create_test_server(wait_until='ACTIVE')

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IpsRbacTest, self).tearDown()

    @decorators.idempotent_id('6886d360-0d86-4760-b1a3-882d81fbebcc')
@@ -59,7 +58,7 @@ class IpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova",
        rule="os_compute_api:ips:index")
    def test_list_addresses(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_addresses(self.server['id'])['addresses']

    @decorators.idempotent_id('fa43e7e5-0db9-48eb-9c6b-c11eb766b8e4')
@@ -69,6 +68,6 @@ class IpsRbacTest(rbac_base.BaseV2ComputeRbacTest):
    def test_list_addresses_by_network(self):
        addresses = self.client.list_addresses(self.server['id'])['addresses']
        address = next(iter(addresses))
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_addresses_by_network(
            self.server['id'], address)[address]
--- a/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_limits_rbac.py
@@ -15,7 +15,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -24,7 +23,7 @@ CONF = config.CONF
 class LimitsRbacTest(rbac_base.BaseV2ComputeRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(LimitsRbacTest, self).tearDown()

    @classmethod
@@ -43,5 +42,5 @@ class LimitsRbacTest(rbac_base.BaseV2ComputeRbacTest):
                                 rule="os_compute_api:limits")
    @decorators.idempotent_id('3fb60f83-9a5f-4fdd-89d9-26c3710844a1')
    def test_show_limits(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_limits()
--- a/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_migrations_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -38,7 +37,7 @@ class MigrationsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
                '%s skipped as no compute extensions enabled' % cls.__name__)

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(MigrationsAdminRbacTest, self).tearDown()

    @decorators.idempotent_id('5795231c-3729-448c-a072-9a225db1a328')
@@ -46,5 +45,5 @@ class MigrationsAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        service="nova",
        rule="os_compute_api:os-migrations:index")
    def test_list_services(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_migrations()['migrations']
--- a/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_rescue_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -43,7 +42,7 @@ class RescueRbacTest(rbac_base.BaseV2ComputeRbacTest):
        cls.server = cls.create_test_server(wait_until='ACTIVE')

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(RescueRbacTest, self).tearDown()

    @rbac_rule_validation.action(
@@ -51,5 +50,5 @@ class RescueRbacTest(rbac_base.BaseV2ComputeRbacTest):
        rule="os_compute_api:os-rescue")
    @decorators.idempotent_id('fbbb2afc-ed0e-4552-887d-ac00fb5d436e')
    def test_rescue_server(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.rescue_server(self.server['id'])
--- a/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_security_groups_rbac.py
@@ -16,14 +16,13 @@
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base


 class SecurityGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(SecurityGroupsRbacTest, self).tearDown()

    @rbac_rule_validation.action(
@@ -31,5 +30,5 @@ class SecurityGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        rule="os_compute_api:os-security-groups")
    @decorators.idempotent_id('4ac58e49-48c1-4fca-a6c3-3f95fb99eb77')
    def test_server_security_groups(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.security_groups_client.list_security_groups()
--- a/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_actions_rbac.py
@@ -18,7 +18,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -27,7 +26,7 @@ CONF = config.CONF
 class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ServerActionsRbacTest, self).tearDown()

    @classmethod
@@ -68,7 +67,7 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        rule="os_compute_api:servers:stop")
    @decorators.idempotent_id('ab4a17d2-166f-4a6d-9944-f17baa576cf2')
    def test_stop_server(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._test_stop_server()

    @rbac_rule_validation.action(
@@ -77,5 +76,5 @@ class ServerActionsRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('8876bfa9-4d10-406e-a335-a57e451abb12')
    def test_start_server(self):
        self._test_stop_server()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._test_start_server()
--- a/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_diagnostics_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -43,7 +42,7 @@ class ServerDiagnosticsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        cls.server = cls.create_test_server(wait_until='ACTIVE')

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ServerDiagnosticsRbacTest, self).tearDown()

    @rbac_rule_validation.action(
@@ -51,5 +50,5 @@ class ServerDiagnosticsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        rule="os_compute_api:os-server-diagnostics")
    @decorators.idempotent_id('5dabfcc4-bedb-417b-8247-b3ee7c5c0f3e')
    def test_show_server_diagnostics(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_server_diagnostics(self.server['id'])
--- a/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_groups_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -43,7 +42,7 @@ class ServerGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        cls.server = cls.create_test_server(wait_until='ACTIVE')

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ServerGroupsRbacTest, self).tearDown()

    @rbac_rule_validation.action(
@@ -51,7 +50,7 @@ class ServerGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        rule="os_compute_api:os-server-groups:create")
    @decorators.idempotent_id('7f3eae94-6130-47e9-81ac-34009f55be2f')
    def test_create_server_group(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.create_test_server_group()

    @rbac_rule_validation.action(
@@ -60,7 +59,7 @@ class ServerGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('832d9be3-632e-47b2-93d2-5897db43e3e2')
    def test_delete_server_group(self):
        server_group = self.create_test_server_group()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.delete_server_group(server_group['id'])

    @rbac_rule_validation.action(
@@ -68,7 +67,7 @@ class ServerGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
        rule="os_compute_api:os-server-groups:index")
    @decorators.idempotent_id('5eccd67f-5945-483b-b1c8-de851ebfc1c1')
    def test_list_server_groups(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_server_groups()

    @rbac_rule_validation.action(
@@ -77,5 +76,5 @@ class ServerGroupsRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('62534e3f-7e99-4a3d-a08e-33e056460cf2')
    def test_show_server_group(self):
        server_group = self.create_test_server_group()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_server_group(server_group['id'])
--- a/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_password_rbac.py
@@ -17,7 +17,6 @@ from tempest.lib import decorators
 from tempest import test

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base


@@ -42,7 +41,7 @@ class ServerPasswordRbacTest(rbac_base.BaseV2ComputeRbacTest):
        cls.server = cls.create_test_server()

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ServerPasswordRbacTest, self).tearDown()

    @decorators.idempotent_id('43ad7995-2f12-41cd-8ef1-bae9ffc36818')
@@ -50,5 +49,5 @@ class ServerPasswordRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova",
        rule="os_compute_api:os-server-password")
    def test_delete_password(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.delete_password(self.server['id'])
--- a/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_usage_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -43,7 +42,7 @@ class ServerUsageRbacTest(rbac_base.BaseV2ComputeRbacTest):
        cls.server = cls.create_test_server(wait_until='ACTIVE')

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ServerUsageRbacTest, self).tearDown()

    @rbac_rule_validation.action(
@@ -51,5 +50,5 @@ class ServerUsageRbacTest(rbac_base.BaseV2ComputeRbacTest):
        rule="os_compute_api:os-server-usage")
    @decorators.idempotent_id('f0437ead-b9fb-462a-9f3d-ce53fac9d57a')
    def test_show_server_diagnostics(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_server(self.server['id'])
--- a/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_server_volume_attachments_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -52,7 +51,7 @@ class ServerVolumeAttachmentRbacTest(rbac_base.BaseV2ComputeRbacTest):
        super(ServerVolumeAttachmentRbacTest, cls).resource_cleanup()

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ServerVolumeAttachmentRbacTest, self).tearDown()

    def _create_and_attach(self):
@@ -83,7 +82,7 @@ class ServerVolumeAttachmentRbacTest(rbac_base.BaseV2ComputeRbacTest):
        rule="os_compute_api:os-volumes-attachments:index")
    @decorators.idempotent_id('529b668b-6edb-41d5-8886-d7dbd0614678')
    def test_list_volume_attachments(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_volume_attachments(self.server['id'])
        ['volumeAttachments']

@@ -93,7 +92,7 @@ class ServerVolumeAttachmentRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('21c2c3fd-fbe8-41b1-8ef8-115ec47d54c1')
    def test_create_volume_attachment(self):
        self.volume = self.create_volume()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._attach(self.server, self.volume)

    @rbac_rule_validation.action(
@@ -102,7 +101,7 @@ class ServerVolumeAttachmentRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('997df9c2-6e54-47b6-ab74-e4fdb500f385')
    def test_show_volume_attachment(self):
        self._create_and_attach()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_volume_attachment(
            self.server['id'], self.attachment['id'])

@@ -113,7 +112,7 @@ class ServerVolumeAttachmentRbacTest(rbac_base.BaseV2ComputeRbacTest):
    def test_update_volume_attachment(self):
        self._create_and_attach()
        self.volume = self.create_volume()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.update_attached_volume(
            self.server['id'], self.attachment['id'],
            volumeId=self.volume['id'])
@@ -127,5 +126,5 @@ class ServerVolumeAttachmentRbacTest(rbac_base.BaseV2ComputeRbacTest):
    @decorators.idempotent_id('12b03e90-d087-46af-9c4d-507d021c4984')
    def test_delete_volume_attachment(self):
        self._create_and_attach()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._detach(self.server['id'], self.volume['id'])
--- a/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_services_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -38,7 +37,7 @@ class ServicesAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
                '%s skipped as no compute extensions enabled' % cls.__name__)

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ServicesAdminRbacTest, self).tearDown()

    @rbac_rule_validation.action(
@@ -46,5 +45,5 @@ class ServicesAdminRbacTest(rbac_base.BaseV2ComputeAdminRbacTest):
        rule="os_compute_api:os-services")
    @decorators.idempotent_id('7472261b-9c6d-453a-bcb3-aecaa29ad281')
    def test_list_services(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_services()['services']
--- a/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_simple_tenant_usage_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -26,7 +25,7 @@ CONF = config.CONF
 class SimpleTenantUsageRbacTest(rbac_base.BaseV2ComputeRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(SimpleTenantUsageRbacTest, self).tearDown()

    @classmethod
@@ -46,7 +45,7 @@ class SimpleTenantUsageRbacTest(rbac_base.BaseV2ComputeRbacTest):
        rule="os_compute_api:os-simple-tenant-usage:list")
    @decorators.idempotent_id('2aef094f-0452-4df6-a66a-0ec22a92b16e')
    def test_simple_tenant_usage_list(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_tenant_usages()

    @rbac_rule_validation.action(
@@ -58,5 +57,5 @@ class SimpleTenantUsageRbacTest(rbac_base.BaseV2ComputeRbacTest):
        # the validation method in the API call throws an error.
        self.create_test_server(wait_until='ACTIVE')['id']
        tenant_id = self.auth_provider.credentials.tenant_id
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_tenant_usage(tenant_id=tenant_id)
--- a/patrole_tempest_plugin/tests/api/compute/test_suspend_server_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_suspend_server_rbac.py
@@ -18,7 +18,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = config.CONF
@@ -45,7 +44,7 @@ class SuspendServerRbacTest(rbac_base.BaseV2ComputeRbacTest):
        cls.server = cls.create_test_server(wait_until='ACTIVE')

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)

        # Guarantee that the server is active during each test run.
        vm_state = self.client.show_server(self.server['id'])['server'][
@@ -62,7 +61,7 @@ class SuspendServerRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova",
        rule="os_compute_api:os-suspend-server:suspend")
    def test_suspend_server(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.suspend_server(self.server['id'])
        waiters.wait_for_server_status(self.client, self.server['id'],
                                       'SUSPENDED')
@@ -75,7 +74,8 @@ class SuspendServerRbacTest(rbac_base.BaseV2ComputeRbacTest):
        self.client.suspend_server(self.server['id'])
        waiters.wait_for_server_status(self.client, self.server['id'],
                                       'SUSPENDED')
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.resume_server(self.server['id'])
-        waiters.wait_for_server_status(self.client, self.server['id'],
+        waiters.wait_for_server_status(self.client,
+                                       self.server['id'],
                                       'ACTIVE')
--- a/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/compute/test_tenant_networks_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib import decorators
 from tempest import test

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.compute import rbac_base

 CONF = cfg.CONF
@@ -53,7 +52,7 @@ class TenantNetworksRbacTest(rbac_base.BaseV2ComputeRbacTest):
        super(TenantNetworksRbacTest, cls).setup_credentials()

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(TenantNetworksRbacTest, self).tearDown()

    @decorators.idempotent_id('42b39ba1-14aa-4799-9518-34367d0da67a')
@@ -61,5 +60,5 @@ class TenantNetworksRbacTest(rbac_base.BaseV2ComputeRbacTest):
        service="nova",
        rule="os_compute_api:os-tenant-networks")
    def test_list_show_tenant_networks(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_tenant_networks()['networks']
--- a/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/rbac_base.py
@@ -18,12 +18,14 @@ from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils

+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
 CONF = config.CONF


 class BaseIdentityV2AdminRbacTest(base.BaseIdentityV2AdminTest):

-    credentials = ['primary', 'admin']
+    credentials = ['admin']

    @classmethod
    def skip_checks(cls):
@@ -31,9 +33,11 @@ class BaseIdentityV2AdminRbacTest(base.BaseIdentityV2AdminTest):
        if not CONF.rbac.rbac_flag:
            raise cls.skipException(
                "%s skipped as RBAC Flag not enabled" % cls.__name__)
-        if 'admin' not in CONF.auth.tempest_roles:
-            raise cls.skipException(
-                "%s skipped because tempest roles is not admin" % cls.__name__)
+
+    @classmethod
+    def setup_credentials(cls):
+        super(BaseIdentityV2AdminRbacTest, cls).setup_credentials()
+        cls.os = cls.os_adm

    @classmethod
    def setup_clients(cls):
@@ -42,6 +46,7 @@ class BaseIdentityV2AdminRbacTest(base.BaseIdentityV2AdminTest):
        cls.admin_client = cls.os_adm.identity_client
        cls.tenants_client = cls.os.tenants_client
        cls.users_client = cls.os.users_client
+        cls.rbac_utils = rbac_utils()

    def _create_service(self):
        name = data_utils.rand_name('service')
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_endpoints_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base

 CONF = config.CONF
@@ -41,7 +40,7 @@ class IdentityEndpointsV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
        cls.internal_url = data_utils.rand_url()

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IdentityEndpointsV2AdminRbacTest, self).tearDown()

    def _create_endpoint(self):
@@ -68,7 +67,7 @@ class IdentityEndpointsV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
        RBAC test for Identity Admin 2.0 create_endpoint
        """

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_endpoint()

    @rbac_rule_validation.action(service="keystone",
@@ -82,7 +81,7 @@ class IdentityEndpointsV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
        """

        endpoint = self._create_endpoint()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.endpoints_client.delete_endpoint(endpoint['endpoint']['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -95,5 +94,5 @@ class IdentityEndpointsV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
        RBAC test for Identity Admin 2.0 list_endpoint
        """

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.endpoints_client.list_endpoints()
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_projects_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base

 CONF = config.CONF
@@ -26,7 +25,7 @@ CONF = config.CONF
 class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IdentityProjectV2AdminRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="keystone",
@@ -39,7 +38,7 @@ class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
        RBAC test for Identity 2.0 create_tenant
        """

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_tenant()

    @rbac_rule_validation.action(service="keystone",
@@ -53,7 +52,7 @@ class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
        """
        tenant = self._create_tenant()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.tenants_client.update_tenant(tenant['id'],
                                          description="Changed description")

@@ -68,7 +67,7 @@ class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
        """
        tenant = self._create_tenant()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.tenants_client.delete_tenant(tenant['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -83,7 +82,7 @@ class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):

        tenant = self._create_tenant()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.tenants_client.show_tenant(tenant['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -95,7 +94,7 @@ class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):

        RBAC test for Identity 2.0 list_tenants
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.tenants_client.list_tenants()

    @rbac_rule_validation.action(service="keystone",
@@ -109,5 +108,5 @@ class IdentityProjectV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
        """
        tenant = self._create_tenant()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.tenants_client.list_tenant_users(tenant['id'])
--- a/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v2/test_services_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.identity.v2 import rbac_base

 CONF = config.CONF
@@ -26,7 +25,7 @@ CONF = config.CONF
 class IdentityServicesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IdentityServicesV2AdminRbacTest, self).tearDown()

    @classmethod
@@ -42,7 +41,7 @@ class IdentityServicesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):

        RBAC test for Identity Admin 2.0 create_service
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_service()

    @rbac_rule_validation.action(service="keystone",
@@ -55,7 +54,7 @@ class IdentityServicesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
        """
        service_id = self._create_service()['OS-KSADM:service']['id']

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.services_client.delete_service(service_id)

    @rbac_rule_validation.action(service="keystone",
@@ -68,7 +67,7 @@ class IdentityServicesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):
        """
        service_id = self._create_service()['OS-KSADM:service']['id']

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.services_client.show_service(service_id)

    @rbac_rule_validation.action(service="keystone",
@@ -79,5 +78,5 @@ class IdentityServicesV2AdminRbacTest(rbac_base.BaseIdentityV2AdminRbacTest):

        RBAC test for Identity Admin 2.0 list_service
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.services_client.list_services()
--- a/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/rbac_base.py
@@ -18,12 +18,14 @@ from tempest import config
 from tempest.lib.common.utils import data_utils
 from tempest.lib.common.utils import test_utils

+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
 CONF = config.CONF


 class BaseIdentityV3RbacAdminTest(base.BaseIdentityV3AdminTest):

-    credentials = ['primary', 'admin']
+    credentials = ['admin']

    @classmethod
    def skip_checks(cls):
@@ -31,9 +33,11 @@ class BaseIdentityV3RbacAdminTest(base.BaseIdentityV3AdminTest):
        if not CONF.rbac.rbac_flag:
            raise cls.skipException(
                "%s skipped as RBAC Flag not enabled" % cls.__name__)
-        if CONF.auth.tempest_roles != ['admin']:
-            raise cls.skipException(
-                "%s skipped because tempest roles is not admin" % cls.__name__)
+
+    @classmethod
+    def setup_credentials(cls):
+        super(BaseIdentityV3RbacAdminTest, cls).setup_credentials()
+        cls.os = cls.os_adm

    @classmethod
    def setup_clients(cls):
@@ -45,6 +49,7 @@ class BaseIdentityV3RbacAdminTest(base.BaseIdentityV3AdminTest):
        cls.endpoints_client = cls.os.endpoints_v3_client
        cls.groups_client = cls.os.groups_client
        cls.policies_client = cls.os.policies_client
+        cls.rbac_utils = rbac_utils()

    def _create_service(self):
        """Creates a service for test."""
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_credentials_rbac.py
@@ -18,7 +18,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base


@@ -27,7 +26,7 @@ class IdentityCredentialsV3AdminRbacTest(

    def tearDown(self):
        """Reverts user back to admin for cleanup."""
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IdentityCredentialsV3AdminRbacTest, self).tearDown()

    def _create_credential(self):
@@ -58,7 +57,7 @@ class IdentityCredentialsV3AdminRbacTest(

        RBAC test for Keystone: identity:create_credential
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_credential()

    @rbac_rule_validation.action(service="keystone",
@@ -74,7 +73,7 @@ class IdentityCredentialsV3AdminRbacTest(
        new_keys = [data_utils.rand_name('NewAccess'),
                    data_utils.rand_name('NewSecret')]

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.creds_client \
            .update_credential(credential['id'],
                               credential=credential,
@@ -92,7 +91,7 @@ class IdentityCredentialsV3AdminRbacTest(
        """
        _, credential = self._create_credential()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.creds_client.delete_credential(credential['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -105,7 +104,7 @@ class IdentityCredentialsV3AdminRbacTest(
        """
        _, credential = self._create_credential()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.creds_client.show_credential(credential['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -116,5 +115,5 @@ class IdentityCredentialsV3AdminRbacTest(

        RBAC test for Keystone: identity:list_credentials
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.creds_client.list_credentials()
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_endpoints_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base

 CONF = config.CONF
@@ -43,7 +42,7 @@ class IdentityEndpointsV3AdminRbacTest(

    def tearDown(self):
        """Reverts user back to admin for cleanup."""
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IdentityEndpointsV3AdminRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="keystone",
@@ -54,7 +53,7 @@ class IdentityEndpointsV3AdminRbacTest(

        RBAC test for Keystone: identity:create_endpoint
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_endpoint()

    @rbac_rule_validation.action(service="keystone",
@@ -68,7 +67,7 @@ class IdentityEndpointsV3AdminRbacTest(
        service, endpoint = self._create_endpoint()
        new_url = data_utils.rand_url()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.endpoints_client.update_endpoint(endpoint["id"],
                                              service_id=service['id'],
                                              url=new_url)
@@ -83,7 +82,7 @@ class IdentityEndpointsV3AdminRbacTest(
        """
        _, endpoint = self._create_endpoint()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.endpoints_client.delete_endpoint(endpoint['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -96,7 +95,7 @@ class IdentityEndpointsV3AdminRbacTest(
        """
        _, endpoint = self._create_endpoint()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.endpoints_client.show_endpoint(endpoint['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -107,5 +106,5 @@ class IdentityEndpointsV3AdminRbacTest(

        RBAC test for Keystone: identity:create_domain
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.endpoints_client.list_endpoints()
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_groups_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base

 CONF = config.CONF
@@ -29,7 +28,7 @@ class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):

    def tearDown(self):
        """Reverts user back to admin for cleanup."""
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IdentityGroupsV3AdminRbacTest, self).tearDown()

    def _create_group(self):
@@ -55,7 +54,7 @@ class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
                                 rule="identity:create_group")
    @decorators.idempotent_id('88377f51-9074-4d64-a22f-f8931d048c9a')
    def test_create_group(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_group()

    @rbac_rule_validation.action(service="keystone",
@@ -66,7 +65,7 @@ class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
        # Update Group
        new_name = data_utils.rand_name('UpdateGroup')

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.groups_client.update_group(group['id'],
                                        name=new_name)

@@ -76,7 +75,7 @@ class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
    def test_delete_group(self):
        group = self._create_group()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.groups_client.delete_group(group['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -85,14 +84,14 @@ class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
    def test_show_group(self):
        group = self._create_group()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.groups_client.show_group(group['id'])

    @rbac_rule_validation.action(service="keystone",
                                 rule="identity:list_groups")
    @decorators.idempotent_id('c4d0f76b-735f-4fd0-868b-0006bc420ff4')
    def test_list_groups(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.groups_client.list_groups()

    @rbac_rule_validation.action(service="keystone",
@@ -101,7 +100,7 @@ class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
    def test_add_user_group(self):
        group = self._create_group()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._add_user_to_group(group['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -111,7 +110,7 @@ class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
        group = self._create_group()
        user_id = self._add_user_to_group(group['id'])

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.groups_client.delete_group_user(group['id'], user_id)

    @rbac_rule_validation.action(service="keystone",
@@ -120,7 +119,7 @@ class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
    def test_list_user_group(self):
        group = self._create_group()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.groups_client.list_group_users(group['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -130,5 +129,5 @@ class IdentityGroupsV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
        group = self._create_group()
        user_id = self._add_user_to_group(group['id'])

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.groups_client.check_group_user_existence(group['id'], user_id)
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_policies_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base

 CONF = config.CONF
@@ -29,7 +28,7 @@ class IdentityPoliciesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):

    def tearDown(self):
        """Reverts user back to admin for cleanup."""
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IdentityPoliciesV3AdminRbacTest, self).tearDown()

    def _create_policy(self):
@@ -49,7 +48,7 @@ class IdentityPoliciesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
                                 rule="identity:create_policy")
    @decorators.idempotent_id('de2f7ecb-fbf0-41f3-abf4-b97b5e082fd5')
    def test_create_policy(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_policy()

    @rbac_rule_validation.action(service="keystone",
@@ -59,7 +58,7 @@ class IdentityPoliciesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
        policy = self._create_policy()
        update_type = data_utils.rand_name('UpdatedPolicyType')

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.policies_client.update_policy(policy['id'],
                                           type=update_type)

@@ -69,7 +68,7 @@ class IdentityPoliciesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
    def test_delete_policy(self):
        policy = self._create_policy()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.policies_client.delete_policy(policy['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -78,12 +77,12 @@ class IdentityPoliciesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
    def test_show_policy(self):
        policy = self._create_policy()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.policies_client.show_policy(policy['id'])

    @rbac_rule_validation.action(service="keystone",
                                 rule="identity:list_policies")
    @decorators.idempotent_id('35a56161-4054-4237-8a78-7ce805dce202')
    def test_list_policies(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.policies_client.list_policies()['policies']
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_projects_rbac.py
@@ -18,7 +18,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base

 CONF = config.CONF
@@ -29,7 +28,7 @@ class IdentityProjectV3AdminRbacTest(

    def tearDown(self):
        """Reverts user back to admin for cleanup."""
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IdentityProjectV3AdminRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="keystone",
@@ -41,7 +40,7 @@ class IdentityProjectV3AdminRbacTest(
        RBAC test for Keystone: identity:create_project
        """
        name = data_utils.rand_name('project')
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        project = self.non_admin_projects_client \
                      .create_project(name)['project']
        self.addCleanup(self.projects_client.delete_project, project['id'])
@@ -56,7 +55,7 @@ class IdentityProjectV3AdminRbacTest(
        """
        project = self._setup_test_project()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_projects_client \
            .update_project(project['id'],
                            description="Changed description")
@@ -71,7 +70,7 @@ class IdentityProjectV3AdminRbacTest(
        """
        project = self._setup_test_project()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_projects_client.delete_project(project['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -84,7 +83,7 @@ class IdentityProjectV3AdminRbacTest(
        """
        project = self._setup_test_project()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_projects_client.show_project(project['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -95,5 +94,5 @@ class IdentityProjectV3AdminRbacTest(

        RBAC test for Keystone: identity:list_projects
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_projects_client.list_projects()
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_services_rbac.py
@@ -18,7 +18,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base

 CONF = config.CONF
@@ -28,7 +27,7 @@ class IdentitySericesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):

    def tearDown(self):
        """Reverts user back to admin for cleanup."""
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IdentitySericesV3AdminRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="keystone",
@@ -39,7 +38,7 @@ class IdentitySericesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):

        RBAC test for Keystone: identity:create_service
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_service()

    @rbac_rule_validation.action(service="keystone",
@@ -53,7 +52,7 @@ class IdentitySericesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
        service = self._create_service()
        new_name = data_utils.rand_name('new_test_name')

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.services_client.update_service(service['id'],
                                            service=service,
                                            name=new_name,
@@ -69,7 +68,7 @@ class IdentitySericesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
        """
        service = self._create_service()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.services_client.delete_service(service['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -82,7 +81,7 @@ class IdentitySericesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):
        """
        service = self._create_service()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.services_client.show_service(service['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -93,5 +92,5 @@ class IdentitySericesV3AdminRbacTest(rbac_base.BaseIdentityV3RbacAdminTest):

        RBAC test for Keystone: identity:list_services
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.services_client.list_services()
--- a/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
+++ b/patrole_tempest_plugin/tests/api/identity/v3/test_users_rbac.py
@@ -18,7 +18,6 @@ from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.identity.v3 import rbac_base

 CONF = config.CONF
@@ -29,7 +28,7 @@ class IdentityUserV3AdminRbacTest(

    def tearDown(self):
        """Reverts user back to admin for cleanup."""
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(IdentityUserV3AdminRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="keystone",
@@ -41,7 +40,7 @@ class IdentityUserV3AdminRbacTest(
        RBAC test for Keystone: identity:create_user
        """
        user_name = data_utils.rand_name('test_create_user')
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_users_client.create_user(name=user_name)

    @rbac_rule_validation.action(service="keystone",
@@ -55,7 +54,7 @@ class IdentityUserV3AdminRbacTest(
        user_name = data_utils.rand_name('test_update_user')
        user = self._create_test_user(name=user_name, password=None)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_users_client.update_user(user['id'],
                                                name=user_name,
                                                email="changedUser@xyz.com")
@@ -71,7 +70,7 @@ class IdentityUserV3AdminRbacTest(
        user_name = data_utils.rand_name('test_delete_user')
        user = self._create_test_user(name=user_name, password=None)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_users_client.delete_user(user['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -82,7 +81,7 @@ class IdentityUserV3AdminRbacTest(

        RBAC test for Keystone: identity:list_users
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_users_client.list_users()

    @rbac_rule_validation.action(service="keystone",
@@ -96,7 +95,7 @@ class IdentityUserV3AdminRbacTest(
        user_name = data_utils.rand_name('test_get_user')
        user = self._create_test_user(name=user_name, password=None)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_users_client.show_user(user['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -110,7 +109,7 @@ class IdentityUserV3AdminRbacTest(
        user_name = data_utils.rand_name('test_change_password')
        user = self._create_test_user(name=user_name, password='nova')

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_users_client \
            .update_user_password(user['id'],
                                  original_password='nova',
@@ -127,7 +126,7 @@ class IdentityUserV3AdminRbacTest(
        user_name = data_utils.rand_name('User')
        user = self._create_test_user(name=user_name, password=None)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_users_client.list_user_groups(user['id'])

    @rbac_rule_validation.action(service="keystone",
@@ -140,5 +139,5 @@ class IdentityUserV3AdminRbacTest(
        """
        user = self.setup_test_user()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.non_admin_users_client.list_user_projects(user['id'])
--- a/patrole_tempest_plugin/tests/api/image/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/image/rbac_base.py
@@ -11,16 +11,17 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-# Maybe these should be in lib or recreated?
 from tempest.api.image import base as image_base
 from tempest import config

+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
 CONF = config.CONF


 class BaseV1ImageRbacTest(image_base.BaseV1ImageTest):

-    credentials = ['primary', 'admin']
+    credentials = ['admin']

    @classmethod
    def skip_checks(cls):
@@ -28,20 +29,23 @@ class BaseV1ImageRbacTest(image_base.BaseV1ImageTest):
        if not CONF.rbac.rbac_flag:
            raise cls.skipException(
                "%s skipped as RBAC Flag not enabled" % cls.__name__)
-        if 'admin' not in CONF.auth.tempest_roles:
-            raise cls.skipException(
-                "%s skipped because tempest roles is not admin" % cls.__name__)
+
+    @classmethod
+    def setup_credentials(cls):
+        super(BaseV1ImageRbacTest, cls).setup_credentials()
+        cls.os = cls.os_adm

    @classmethod
    def setup_clients(cls):
        super(BaseV1ImageRbacTest, cls).setup_clients()
        cls.auth_provider = cls.os.auth_provider
        cls.admin_client = cls.os_adm.image_client
+        cls.rbac_utils = rbac_utils()


 class BaseV2ImageRbacTest(image_base.BaseV2ImageTest):

-    credentials = ['primary', 'admin']
+    credentials = ['admin']

    @classmethod
    def skip_checks(cls):
@@ -49,12 +53,15 @@ class BaseV2ImageRbacTest(image_base.BaseV2ImageTest):
        if not CONF.rbac.rbac_flag:
            raise cls.skipException(
                "%s skipped as RBAC Flag not enabled" % cls.__name__)
-        if 'admin' not in CONF.auth.tempest_roles:
-            raise cls.skipException(
-                "%s skipped because tempest roles is not admin" % cls.__name__)
+
+    @classmethod
+    def setup_credentials(cls):
+        super(BaseV2ImageRbacTest, cls).setup_credentials()
+        cls.os = cls.os_adm

    @classmethod
    def setup_clients(cls):
        super(BaseV2ImageRbacTest, cls).setup_clients()
        cls.auth_provider = cls.os.auth_provider
        cls.admin_client = cls.os_adm.image_client_v2
+        cls.rbac_utils = rbac_utils()
--- a/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v1/test_images_member_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.image import rbac_base as base

 CONF = config.CONF
@@ -39,7 +38,7 @@ class ImagesMemberRbacTest(base.BaseV1ImageRbacTest):
        cls.alt_tenant_id = cls.alt_image_member_client.tenant_id

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ImagesMemberRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="glance", rule="add_member")
@@ -51,7 +50,7 @@ class ImagesMemberRbacTest(base.BaseV1ImageRbacTest):
        """
        image = self.create_image()
        # Toggle role and add image member
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.image_member_client.create_image_member(image['id'],
                                                     self.alt_tenant_id)

@@ -66,7 +65,7 @@ class ImagesMemberRbacTest(base.BaseV1ImageRbacTest):
        self.image_member_client.create_image_member(image['id'],
                                                     self.alt_tenant_id)
        # Toggle role and delete image member
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.image_member_client.delete_image_member(image['id'],
                                                     self.alt_tenant_id)

@@ -81,5 +80,5 @@ class ImagesMemberRbacTest(base.BaseV1ImageRbacTest):
        self.image_member_client.create_image_member(image['id'],
                                                     self.alt_tenant_id)
        # Toggle role and delete image member
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.image_member_client.list_image_members(image['id'])
--- a/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v1/test_images_rbac.py
@@ -20,7 +20,6 @@ from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.image import rbac_base

 CONF = config.CONF
@@ -29,7 +28,7 @@ CONF = config.CONF
 class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(BasicOperationsImagesRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="glance", rule="add_image")
@@ -41,7 +40,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):
        """
        properties = {'prop1': 'val1'}
        image_name = data_utils.rand_name('image')
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.create_image(name=image_name,
                          container_format='bare',
                          disk_format='raw',
@@ -63,7 +62,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):
                                 is_public=False,
                                 properties=properties)
        image_id = body['id']
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.delete_image(image_id)

    @rbac_rule_validation.action(service="glance", rule="download_image")
@@ -85,7 +84,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):
        image_file = moves.cStringIO(data_utils.random_bytes())
        self.client.update_image(image_id, data=image_file)
        # Toggle role and get created image
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_image(image_id)

    @rbac_rule_validation.action(service="glance", rule="get_image")
@@ -107,7 +106,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):
        image_file = moves.cStringIO(data_utils.random_bytes())
        self.client.update_image(image_id, data=image_file)
        # Toggle role and get created image
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.check_image(image_id)

    @rbac_rule_validation.action(service="glance", rule="get_images")
@@ -117,7 +116,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):

        RBAC test for the glance get_images policy.
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_images()

    @rbac_rule_validation.action(service="glance", rule="modify_image")
@@ -136,7 +135,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):
                                 properties=properties)
        image_id = body.get('id')
        properties = {'prop1': 'val2'}
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.update_image(image_id, headers=properties)

    @rbac_rule_validation.action(service="glance", rule="publicize_image")
@@ -148,7 +147,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV1ImageRbacTest):
        """
        image_name = data_utils.rand_name('image')
        properties = {'prop1': 'val1'}
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.create_image(name=image_name,
                          container_format='bare',
                          disk_format='raw',
--- a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_objects_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_objects_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.image import rbac_base

 CONF = config.CONF
@@ -28,7 +27,7 @@ CONF = config.CONF
 class ImageNamespacesObjectsRbacTest(rbac_base.BaseV2ImageRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ImageNamespacesObjectsRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="glance",
@@ -40,7 +39,7 @@ class ImageNamespacesObjectsRbacTest(rbac_base.BaseV2ImageRbacTest):
        RBAC test for the glance add_metadef_object policy
        """
        namespace = self.create_namespace()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # create a md object, it will be cleaned automatically after
        # cleanup of namespace
        object_name = data_utils.rand_name('test-object')
@@ -60,7 +59,7 @@ class ImageNamespacesObjectsRbacTest(rbac_base.BaseV2ImageRbacTest):
        RBAC test for the glance get_metadef_objects policy
        """
        namespace = self.create_namespace()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # list md objects
        self.namespace_objects_client.list_namespace_objects(
            namespace['namespace'])
@@ -83,7 +82,7 @@ class ImageNamespacesObjectsRbacTest(rbac_base.BaseV2ImageRbacTest):
                        namespace['namespace'], object_name)

        # Toggle role and modify object
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        new_name = "Object New Name"
        self.namespace_objects_client.update_namespace_object(
            namespace['namespace'], object_name, name=new_name)
@@ -105,7 +104,7 @@ class ImageNamespacesObjectsRbacTest(rbac_base.BaseV2ImageRbacTest):
                        self.namespace_objects_client.delete_namespace_object,
                        namespace['namespace'], object_name)
        # Toggle role and get object
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.namespace_objects_client.show_namespace_object(
            namespace['namespace'],
            object_name)
--- a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_property_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_property_rbac.py
@@ -18,7 +18,6 @@ from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.image import rbac_base

 CONF = config.CONF
@@ -33,7 +32,7 @@ class NamespacesPropertyRbacTest(rbac_base.BaseV2ImageRbacTest):
        cls.resource_name = body['resource_types'][0]['name']

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(NamespacesPropertyRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="glance",
@@ -45,7 +44,7 @@ class NamespacesPropertyRbacTest(rbac_base.BaseV2ImageRbacTest):
        RBAC test for the glance add_metadef_property policy
        """
        namespace = self.create_namespace()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        property_name = data_utils.rand_name('test-ns-property')
        self.namespace_properties_client.create_namespace_property(
            namespace=namespace['namespace'], type="string",
@@ -60,7 +59,7 @@ class NamespacesPropertyRbacTest(rbac_base.BaseV2ImageRbacTest):
        RBAC test for the glance get_metadef_properties policy
        """
        namespace = self.create_namespace()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.namespace_properties_client.list_namespace_properties(
            namespace=namespace['namespace'])

@@ -78,7 +77,7 @@ class NamespacesPropertyRbacTest(rbac_base.BaseV2ImageRbacTest):
            namespace=namespace['namespace'], type="string",
            title=property_name, name=self.resource_name)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.namespace_properties_client.show_namespace_properties(
            namespace['namespace'], self.resource_name)

@@ -96,7 +95,7 @@ class NamespacesPropertyRbacTest(rbac_base.BaseV2ImageRbacTest):
            namespace=namespace['namespace'], type="string",
            title=property_name, name=self.resource_name)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.namespace_properties_client.update_namespace_properties(
            namespace['namespace'], self.resource_name, type="string",
            title=property_name, name=self.resource_name)
--- a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.image import rbac_base

 CONF = config.CONF
@@ -28,7 +27,7 @@ CONF = config.CONF
 class ImageNamespacesRbacTest(rbac_base.BaseV2ImageRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ImageNamespacesRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="glance",
@@ -40,7 +39,7 @@ class ImageNamespacesRbacTest(rbac_base.BaseV2ImageRbacTest):
        RBAC test for the glance add_metadef_namespace policy
        """
        namespace_name = data_utils.rand_name('test-ns')
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.namespaces_client.create_namespace(
            namespace=namespace_name,
            protected=False)
@@ -57,7 +56,7 @@ class ImageNamespacesRbacTest(rbac_base.BaseV2ImageRbacTest):

        RBAC test for the glance get_metadef_namespaces policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.namespaces_client.list_namespaces()

    @rbac_rule_validation.action(service="glance",
@@ -72,7 +71,7 @@ class ImageNamespacesRbacTest(rbac_base.BaseV2ImageRbacTest):
        body = self.namespaces_client.create_namespace(
            namespace=namespace_name,
            protected=False)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.namespaces_client.update_namespace(body['namespace'],
                                                description="My new "
                                                            "description")
--- a/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_resource_type.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_image_namespace_resource_type.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.image import rbac_base

 CONF = config.CONF
@@ -28,7 +27,7 @@ CONF = config.CONF
 class ImageNamespacesResourceTypeRbacTest(rbac_base.BaseV2ImageRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ImageNamespacesResourceTypeRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="glance",
@@ -39,7 +38,7 @@ class ImageNamespacesResourceTypeRbacTest(rbac_base.BaseV2ImageRbacTest):

        RBAC test for the glance list_metadef_resource_type policy.
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.resource_types_client.list_resource_types()

    @rbac_rule_validation.action(service="glance",
@@ -59,6 +58,6 @@ class ImageNamespacesResourceTypeRbacTest(rbac_base.BaseV2ImageRbacTest):
            self.namespaces_client.delete_namespace,
            namespace_name)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.resource_types_client.list_resource_type_association(
            namespace_name)
--- a/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_images_member_rbac.py
@@ -20,7 +20,6 @@ from tempest.lib import exceptions

 from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.image import rbac_base as base

 CONF = config.CONF
@@ -29,7 +28,7 @@ LOG = logging.getLogger(__name__)

 class ImagesMemberRbacTest(base.BaseV2ImageRbacTest):

-    credentials = ['primary', 'alt', 'admin']
+    credentials = ['admin', 'alt']

    @classmethod
    def resource_setup(cls):
@@ -45,11 +44,11 @@ class ImagesMemberRbacTest(base.BaseV2ImageRbacTest):
        cls.alt_image_member_client = cls.os_alt.image_member_client_v2

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ImagesMemberRbacTest, self).tearDown()

    def setUp(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ImagesMemberRbacTest, self).setUp()

    @rbac_rule_validation.action(service="glance",
@@ -63,7 +62,7 @@ class ImagesMemberRbacTest(base.BaseV2ImageRbacTest):
        """
        image_id = self.create_image()['id']
        # Toggle role and add image member
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.image_member_client.create_image_member(image_id,
                                                     member=self.alt_tenant_id)

@@ -80,7 +79,7 @@ class ImagesMemberRbacTest(base.BaseV2ImageRbacTest):
        self.image_member_client.create_image_member(image_id,
                                                     member=self.alt_tenant_id)
        # Toggle role and delete image member
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.image_member_client.delete_image_member(image_id,
                                                     self.alt_tenant_id)

@@ -100,7 +99,7 @@ class ImagesMemberRbacTest(base.BaseV2ImageRbacTest):
                member=self.alt_tenant_id)

            # Toggle role and get image member
-            rbac_utils.switch_role(self, switchToRbacRole=True)
+            self.rbac_utils.switch_role(self, switchToRbacRole=True)
            self.image_member_client.show_image_member(
                image_id,
                self.alt_tenant_id)
@@ -126,7 +125,7 @@ class ImagesMemberRbacTest(base.BaseV2ImageRbacTest):
            image_id,
            member=self.image_client.tenant_id)
        # Toggle role and update member
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.image_member_client.update_image_member(
            image_id, self.image_client.tenant_id,
            status='accepted')
@@ -144,5 +143,5 @@ class ImagesMemberRbacTest(base.BaseV2ImageRbacTest):
        self.image_member_client.create_image_member(image_id,
                                                     member=self.alt_tenant_id)
        # Toggle role and list image members
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.image_member_client.list_image_members(image_id)
--- a/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
+++ b/patrole_tempest_plugin/tests/api/image/v2/test_images_rbac.py
@@ -21,7 +21,6 @@ from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.image import rbac_base

 CONF = config.CONF
@@ -36,7 +35,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
        cls.client = cls.os.image_client_v2

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(BasicOperationsImagesRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="glance",
@@ -50,7 +49,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
        """
        uuid = '00000000-1111-2222-3333-444455556666'
        image_name = data_utils.rand_name('image')
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.create_image(name=image_name,
                          container_format='bare',
                          disk_format='raw',
@@ -74,7 +73,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
                                 visibility='private',
                                 ramdisk_id=uuid)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Try uploading an image file
        image_file = moves.cStringIO(data_utils.random_bytes())
        self.client.store_image_file(body['id'], image_file)
@@ -95,7 +94,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
                                 visibility='public')
        image_id = body.get('id')
        # Toggle role and delete created image
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.delete_image(image_id)
        self.client.wait_for_resource_deletion(image_id)

@@ -116,7 +115,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
                                 visibility='private')
        image_id = body.get('id')
        # Toggle role and get created image
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_image(image_id)

    @rbac_rule_validation.action(service="glance",
@@ -130,7 +129,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
        """

        # Toggle role and get created image
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_images()

    @rbac_rule_validation.action(service="glance",
@@ -154,7 +153,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
        self.client.store_image_file(image_id, image_file)

        # Toggle role and update created image
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        new_image_name = data_utils.rand_name('new-image')
        body = self.client.update_image(image_id, [
            dict(replace='/name', value=new_image_name)])
@@ -169,7 +168,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
        RBAC test for the glance publicize_image endpoint
        """
        image_name = data_utils.rand_name('image')
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.create_image(name=image_name,
                          container_format='bare',
                          disk_format='raw',
@@ -196,7 +195,7 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
        image_file = moves.cStringIO(data_utils.random_bytes())
        self.client.store_image_file(image_id=image_id, data=image_file)
        # Toggling role and deacivate image
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.deactivate_image(image_id)

    @rbac_rule_validation.action(service="glance",
@@ -221,5 +220,5 @@ class BasicOperationsImagesRbacTest(rbac_base.BaseV2ImageRbacTest):
        image_file = moves.cStringIO(data_utils.random_bytes())
        self.client.store_image_file(image_id=image_id, data=image_file)
        # Toggling role and reactivate image
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.reactivate_image(image_id)
--- a/patrole_tempest_plugin/tests/api/network/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/network/rbac_base.py
@@ -16,12 +16,14 @@
 from tempest.api.network import base as network_base
 from tempest import config

+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
 CONF = config.CONF


 class BaseNetworkRbacTest(network_base.BaseNetworkTest):

-    credentials = ['primary', 'admin']
+    credentials = ['admin']

    @classmethod
    def skip_checks(cls):
@@ -29,12 +31,15 @@ class BaseNetworkRbacTest(network_base.BaseNetworkTest):
        if not CONF.rbac.rbac_flag:
            raise cls.skipException(
                "%s skipped as RBAC Flag not enabled" % cls.__name__)
-        if 'admin' not in CONF.auth.tempest_roles:
-            raise cls.skipException(
-                "%s skipped because tempest roles is not admin" % cls.__name__)
+
+    @classmethod
+    def setup_credentials(cls):
+        super(BaseNetworkRbacTest, cls).setup_credentials()
+        cls.os = cls.os_adm

    @classmethod
    def setup_clients(cls):
        super(BaseNetworkRbacTest, cls).setup_clients()
        cls.auth_provider = cls.os.auth_provider
        cls.admin_client = cls.os_adm.agents_client
+        cls.rbac_utils = rbac_utils()
--- a/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_floating_ips_rbac.py
@@ -23,7 +23,6 @@ from tempest.lib import exceptions

 from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.network import rbac_base as base

 CONF = config.CONF
@@ -71,7 +70,7 @@ class FloatingIpsRbacTest(base.BaseNetworkRbacTest):
        return floating_ip

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(FloatingIpsRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="neutron",
@@ -82,7 +81,7 @@ class FloatingIpsRbacTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron create_floatingip policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_floatingip()

    @rbac_rule_validation.action(service="neutron",
@@ -95,7 +94,7 @@ class FloatingIpsRbacTest(base.BaseNetworkRbacTest):
        """
        fip = str(netaddr.IPAddress(self.cidr) + 10)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_floatingip(floating_ip_address=fip)

    @rbac_rule_validation.action(service="neutron",
@@ -107,7 +106,7 @@ class FloatingIpsRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron update_floatingip policy
        """
        floating_ip = self._create_floatingip()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)

        # Associate floating IP to the other port
        self.floating_ips_client.update_floatingip(
@@ -121,7 +120,7 @@ class FloatingIpsRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron get_floatingip policy
        """
        floating_ip = self._create_floatingip()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)

        try:
            # Show floating IP
@@ -141,7 +140,7 @@ class FloatingIpsRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron delete_floatingip policy
        """
        floating_ip = self._create_floatingip()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)

        try:
            # Delete the floating IP
--- a/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_networks_rbac.py
@@ -22,7 +22,6 @@ from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.network import rbac_base as base

 CONF = config.CONF
@@ -129,7 +128,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):
        return updated_network

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(RbacNetworksTest, self).tearDown()

    @rbac_rule_validation.action(service="neutron",
@@ -141,7 +140,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron create_network policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_network()

    @rbac_rule_validation.action(service="neutron",
@@ -153,7 +152,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron create_network:shared policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_network(shared=True)

    @rbac_rule_validation.action(service="neutron",
@@ -165,7 +164,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron create_network:router:external policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_network(router_external=True)

    @rbac_rule_validation.action(service="neutron",
@@ -177,7 +176,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron create_network:provider:network_type policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_network(provider_network_type='vxlan')

    @rbac_rule_validation.action(
@@ -190,7 +189,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron create_network:provider:segmentation_id
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_network(provider_network_type='vxlan',
                             provider_segmentation_id=200)

@@ -203,7 +202,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron update_network policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        updated_network = self._update_network(admin=False)
        self.assertEqual(updated_network['admin_state_up'], False)

@@ -220,7 +219,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron update_network:shared policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        updated_network = self._update_network(shared_network=True)
        self.assertEqual(updated_network['shared'], True)

@@ -238,7 +237,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron update_network:router:external policy
        """
        network = self._create_network()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._update_network(net_id=network['id'], router_external=True)

    @rbac_rule_validation.action(service="neutron",
@@ -250,7 +249,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron get_network policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # show a network that has been created during class setup
        self.networks_client.show_network(self.admin_network['id'])

@@ -265,7 +264,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):
        """
        post_body = {'fields': 'router:external'}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.networks_client.show_network(self.admin_network['id'],
                                          **post_body)

@@ -280,7 +279,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):
        """
        post_body = {'fields': 'provider:network_type'}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        body = self.networks_client.show_network(self.admin_network['id'],
                                                 **post_body)
        showed_net = body['network']
@@ -299,7 +298,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):
        """
        post_body = {'fields': 'provider:physical_network'}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        body = self.networks_client.show_network(self.admin_network['id'],
                                                 **post_body)
        showed_net = body['network']
@@ -318,7 +317,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):
        """
        post_body = {'fields': 'provider:segmentation_id'}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        body = self.networks_client.show_network(self.admin_network['id'],
                                                 **post_body)
        showed_net = body['network']
@@ -339,7 +338,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron delete_network policy
        """
        network = self._create_network()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.networks_client.delete_network(network['id'])

    @rbac_rule_validation.action(service="neutron",
@@ -354,7 +353,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):
        network = self._create_network()
        self.assertEqual('ACTIVE', network['status'])

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Create a subnet
        self.create_subnet(network, enable_dhcp=False)

@@ -367,7 +366,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron get_subnet policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.subnets_client.show_subnet(self.admin_subnet['id'])

    @rbac_rule_validation.action(service="neutron",
@@ -379,7 +378,7 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron update_subnet policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.subnets_client.update_subnet(self.admin_subnet['id'],
                                          name="New_subnet")

@@ -399,6 +398,6 @@ class RbacNetworksTest(base.BaseNetworkRbacTest):
        # Create a subnet using admin privilege
        subnet = self.create_subnet(network, enable_dhcp=False)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Delete the subnet
        self.subnets_client.delete_subnet(subnet['id'])
--- a/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_ports_rbac.py
@@ -25,7 +25,6 @@ from tempest.lib import exceptions

 from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.network import rbac_base as base

 CONF = config.CONF
@@ -70,7 +69,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        return port

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(PortsRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="neutron",
@@ -78,7 +77,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
    @decorators.idempotent_id('0ec8c551-625c-4864-8a52-85baa7c40f22')
    def test_create_port(self):

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        post_body = {'network_id': self.admin_network['id']}
        self._create_port(**post_body)

@@ -90,7 +89,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        post_body = {'network_id': self.admin_network['id'],
                     'binding:host_id': "rbac_test_host"}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_port(**post_body)

    @rbac_rule_validation.action(service="neutron",
@@ -106,7 +105,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        post_body = {'network_id': self.admin_network['id'],
                     'fixed_ips': fixed_ips}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_port(**post_body)

    @rbac_rule_validation.action(service="neutron",
@@ -117,7 +116,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        post_body = {'network_id': self.admin_network['id'],
                     'mac_address': data_utils.rand_mac_address()}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_port(**post_body)

    @rbac_rule_validation.action(service="neutron",
@@ -130,7 +129,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        post_body = {'network_id': self.admin_network['id'],
                     'binding:profile': binding_profile}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_port(**post_body)

    @rbac_rule_validation.action(service="neutron",
@@ -145,7 +144,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        post_body = {'network_id': self.admin_network['id'],
                     'allowed_address_pairs': allowed_address_pairs}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_port(**post_body)

    @rbac_rule_validation.action(service="neutron", rule="get_port")
@@ -153,7 +152,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
    def test_show_port(self):

        try:
-            rbac_utils.switch_role(self, switchToRbacRole=True)
+            self.rbac_utils.switch_role(self, switchToRbacRole=True)

            self.ports_client.show_port(self.admin_port['id'])

@@ -172,7 +171,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        fields = ['binding:vif_type']

        try:
-            rbac_utils.switch_role(self, switchToRbacRole=True)
+            self.rbac_utils.switch_role(self, switchToRbacRole=True)
            self.ports_client.show_port(self.admin_port['id'],
                                        fields=fields)

@@ -191,7 +190,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        fields = ['binding:vif_details']

        try:
-            rbac_utils.switch_role(self, switchToRbacRole=True)
+            self.rbac_utils.switch_role(self, switchToRbacRole=True)
            self.ports_client.show_port(self.admin_port['id'],
                                        fields=fields)

@@ -213,7 +212,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        port = self._create_port(**post_body)

        try:
-            rbac_utils.switch_role(self, switchToRbacRole=True)
+            self.rbac_utils.switch_role(self, switchToRbacRole=True)
            self.ports_client.show_port(port['id'],
                                        fields=fields)

@@ -236,7 +235,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        port = self._create_port(**post_body)

        try:
-            rbac_utils.switch_role(self, switchToRbacRole=True)
+            self.rbac_utils.switch_role(self, switchToRbacRole=True)
            self.ports_client.show_port(port['id'],
                                        fields=fields)

@@ -252,7 +251,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
    def test_update_port(self):

        port = self.create_port(self.admin_network)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.ports_client.update_port(port['id'],
                                      admin_state_up=False)

@@ -262,7 +261,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
    def test_update_port_mac_address(self):

        port = self.create_port(self.admin_network)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.ports_client.update_port(
            port['id'],
            mac_address=data_utils.rand_mac_address())
@@ -278,7 +277,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        post_body = {'network_id': self.admin_network['id']}
        port = self._create_port(**post_body)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.ports_client.update_port(port['id'],
                                      fixed_ips=fixed_ips)

@@ -288,7 +287,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
    def test_update_port_security_enabled(self):

        port = self.create_port(self.admin_network)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.ports_client.update_port(port['id'],
                                      security_groups=[])

@@ -304,7 +303,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        updated_body = {'port_id': port['id'],
                        'binding:host_id': 'rbac_test_host_updated'}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.ports_client.update_port(**updated_body)

    @rbac_rule_validation.action(service="neutron",
@@ -322,7 +321,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        updated_body = {'port_id': port['id'],
                        'binding:profile': new_binding_profile}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.ports_client.update_port(**updated_body)

    @rbac_rule_validation.action(service="neutron",
@@ -337,7 +336,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):
        post_body = {'network_id': self.admin_network['id']}
        port = self._create_port(**post_body)

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.ports_client.update_port(port['id'],
                                      allowed_address_pairs=address_pairs)

@@ -348,7 +347,7 @@ class PortsRbacTest(base.BaseNetworkRbacTest):

        try:
            port = self._create_port(network_id=self.admin_network['id'])
-            rbac_utils.switch_role(self, switchToRbacRole=True)
+            self.rbac_utils.switch_role(self, switchToRbacRole=True)
            self.ports_client.delete_port(port['id'])

        except exceptions.NotFound as e:
--- a/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_routers_rbac.py
@@ -26,7 +26,6 @@ from tempest import test

 from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.network import rbac_base as base

 CONF = config.CONF
@@ -54,7 +53,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
        cls.admin_router = cls.create_router()

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(RouterRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="neutron",
@@ -65,7 +64,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron create_router policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        router = self.routers_client.create_router()
        self.addCleanup(self.routers_client.delete_router,
                        router['router']['id'])
@@ -84,7 +83,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
        external_gateway_info = {'network_id': self.admin_network['id'],
                                 'enable_snat': True}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        router = self.routers_client.create_router(
            name=name, external_gateway_info=external_gateway_info)
        self.addCleanup(self.routers_client.delete_router,
@@ -110,7 +109,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
                                 'enable_snat': False,
                                 'external_fixed_ips': [external_fixed_ips]}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        router = self.routers_client.create_router(
            name=name, external_gateway_info=external_gateway_info)
        self.addCleanup(self.routers_client.delete_router,
@@ -123,7 +122,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron get_router policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        try:
            self.routers_client.show_router(self.admin_router['id'])
        except exceptions.NotFound as e:
@@ -141,7 +140,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron update_router policy
        """
        new_name = data_utils.rand_name('new-router-name')
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.routers_client.update_router(self.admin_router['id'],
                                          name=new_name)

@@ -154,7 +153,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron
        update_router:external_gateway_info policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.routers_client.update_router(self.admin_router['id'],
                                          external_gateway_info={})

@@ -168,7 +167,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron
        update_router:external_gateway_info:network_id policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.routers_client.update_router(
            self.admin_router['id'],
            external_gateway_info={'network_id': self.admin_network['id']})
@@ -183,7 +182,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron
        update_router:external_gateway_info:enable_snat policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.routers_client.update_router(
            self.admin_router['id'],
            external_gateway_info={'network_id': self.admin_network['id'],
@@ -206,7 +205,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
        external_gateway_info = {'network_id': self.admin_network['id'],
                                 'external_fixed_ips': [external_fixed_ips]}

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.routers_client.update_router(
            self.admin_router['id'],
            external_gateway_info=external_gateway_info)
@@ -224,7 +223,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron delete_router policy
        """
        router = self.create_router()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        try:
            self.routers_client.delete_router(router['id'])
        except exceptions.NotFound as e:
@@ -245,7 +244,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
        subnet = self.create_subnet(network)
        router = self.create_router()

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        try:
            self.routers_client.add_router_interface(
                router['id'], subnet_id=subnet['id'])
@@ -280,7 +279,7 @@ class RouterRbacTest(base.BaseNetworkRbacTest):
                        router['id'],
                        subnet_id=subnet['id'])

-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        try:
            self.routers_client.remove_router_interface(
                router['id'],
--- a/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
+++ b/patrole_tempest_plugin/tests/api/network/test_subnetpools_rbac.py
@@ -23,7 +23,6 @@ from tempest import test

 from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.network import rbac_base as base

 CONF = config.CONF
@@ -40,7 +39,7 @@ class SubnetPoolsRbacTest(base.BaseNetworkRbacTest):
            raise cls.skipException(msg)

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(SubnetPoolsRbacTest, self).tearDown()

    def _create_subnetpool(self, shared=None):
@@ -69,7 +68,7 @@ class SubnetPoolsRbacTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron create_subnetpool policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_subnetpool()

    @rbac_rule_validation.action(service="neutron",
@@ -80,7 +79,7 @@ class SubnetPoolsRbacTest(base.BaseNetworkRbacTest):

        RBAC test for the neutron create_subnetpool:shared policy
        """
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_subnetpool(shared=True)

    @rbac_rule_validation.action(service="neutron",
@@ -92,7 +91,7 @@ class SubnetPoolsRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron get_subnetpool policy
        """
        subnetpool = self._create_subnetpool()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        try:
            self.subnetpools_client.show_subnetpool(subnetpool['id'])
        except exceptions.NotFound as e:
@@ -110,7 +109,7 @@ class SubnetPoolsRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron update_subnetpool policy
        """
        subnetpool = self._create_subnetpool()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.subnetpools_client.update_subnetpool(subnetpool['id'],
                                                  min_prefixlen=24)

@@ -123,7 +122,7 @@ class SubnetPoolsRbacTest(base.BaseNetworkRbacTest):
        RBAC test for the neutron delete_subnetpool policy
        """
        subnetpool = self._create_subnetpool()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        try:
            self.subnetpools_client.delete_subnetpool(subnetpool['id'])
        except exceptions.NotFound as e:
--- a/patrole_tempest_plugin/tests/api/volume/admin/test_qos_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/admin/test_qos_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -34,14 +33,14 @@ class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
        cls.client = cls.admin_volume_qos_client

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumeQOSRbacTest, self).tearDown()

    @rbac_rule_validation.action(
        service="cinder", rule="volume_extension:qos_specs_manage:create")
    @decorators.idempotent_id('4f9f45f0-b379-4577-a279-cec3e917cbec')
    def test_create_qos_with_consumer(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Create a qos
        self.create_test_qos_specs()

@@ -51,7 +50,7 @@ class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
    def test_delete_qos_with_consumer(self):
        # Create a qos
        qos = self.create_test_qos_specs()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Delete a qos
        self.client.delete_qos(qos['id'])

@@ -61,7 +60,7 @@ class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
    def test_get_qos(self):
        # Create a qos
        qos = self.create_test_qos_specs()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Get a qos
        self.client.show_qos(qos['id'])['qos_specs']

@@ -69,7 +68,7 @@ class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
                                 rule="volume_extension:qos_specs_manage:read")
    @decorators.idempotent_id('546b8bb1-04a4-4387-9506-a538a7f3cd6a')
    def test_list_qos(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # list all qos
        self.client.list_qos()['qos_specs']

@@ -79,7 +78,7 @@ class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
    def test_set_qos_key(self):
        # Create a qos
        qos = self.create_test_qos_specs()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # set key
        self.client.set_qos_key(qos['id'], iops_bytes='500')['qos_specs']

@@ -91,7 +90,7 @@ class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
        qos = self.create_test_qos_specs()
        # Set key
        self.client.set_qos_key(qos['id'], iops_bytes='500')['qos_specs']
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Unset key
        keys = ['iops_bytes']
        self.client.unset_qos_key(qos['id'], keys)
@@ -107,7 +106,7 @@ class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
        qos = self.create_test_qos_specs()
        # create a test volume-type
        vol_type = self.create_volume_type()['id']
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # associate the qos-specs with volume-types
        self.client.associate_qos(qos['id'], vol_type)
        self.addCleanup(self.client.disassociate_qos, qos['id'], vol_type)
@@ -122,7 +121,7 @@ class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
        # associate the qos-specs with volume-types
        self.client.associate_qos(qos['id'], vol_type)
        self.addCleanup(self.client.disassociate_qos, qos['id'], vol_type)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # get the association of the qos-specs
        self.client.show_association_qos(qos['id'])

@@ -137,7 +136,7 @@ class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
        self.client.associate_qos(qos['id'], vol_type)
        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
                        self.client.disassociate_qos, qos['id'], vol_type)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # disassociate a volume-type with qos-specs
        self.client.disassociate_qos(qos['id'], vol_type)
        operation = 'disassociate'
@@ -155,7 +154,7 @@ class VolumeQOSRbacTest(rbac_base.BaseVolumeAdminRbacTest):
        self.client.associate_qos(qos['id'], vol_type)
        self.addCleanup(test_utils.call_and_ignore_notfound_exc,
                        self.client.disassociate_qos, qos['id'], vol_type)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # disassociate all volume-types from qos-specs
        self.client.disassociate_all_qos(qos['id'])
        operation = 'disassociate-all'
--- a/patrole_tempest_plugin/tests/api/volume/admin/test_volume_quotas_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/admin/test_volume_quotas_rbac.py
@@ -19,7 +19,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 QUOTA_KEYS = ['gigabytes', 'snapshots', 'volumes']
@@ -41,14 +40,14 @@ class VolumeQuotasAdminRbacTest(rbac_base.BaseVolumeAdminRbacTest):
        cls.client = cls.os.volume_quotas_client

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumeQuotasAdminRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="cinder",
                                 rule="volume_extension:quotas:show")
    @decorators.idempotent_id('b3c7177e-b6b1-4d0f-810a-fc95606964dd')
    def test_list_default_quotas(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_default_quota_set(
            self.demo_tenant_id)['quota_set']

@@ -60,7 +59,7 @@ class VolumeQuotasAdminRbacTest(rbac_base.BaseVolumeAdminRbacTest):
                         'volumes': 11,
                         'snapshots': 11}
        # Update limits for all quota resources
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.update_quota_set(
            self.demo_tenant_id,
            **new_quota_set)['quota_set']
--- a/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/admin/test_volumes_backup_admin_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -32,7 +31,7 @@ class VolumesBackupsAdminRbacTest(rbac_base.BaseVolumeAdminRbacTest):
            raise cls.skipException("Cinder backup feature disabled")

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumesBackupsAdminRbacTest, self).tearDown()

    @classmethod
@@ -47,7 +46,7 @@ class VolumesBackupsAdminRbacTest(rbac_base.BaseVolumeAdminRbacTest):
        # Create a temp backup
        backup = self.create_backup(volume_id=self.volume['id'])
        # Export Backup
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.backups_client.export_backup(
            backup['id'])['backup-record']

@@ -61,7 +60,7 @@ class VolumesBackupsAdminRbacTest(rbac_base.BaseVolumeAdminRbacTest):
        export_backup = self.backups_client.export_backup(
            backup['id'])['backup-record']
        # Import the temp backup
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        import_backup = self.backups_client.import_backup(
            backup_service=export_backup['backup_service'],
            backup_url=export_backup['backup_url'])['backup']
--- a/patrole_tempest_plugin/tests/api/volume/rbac_base.py
+++ b/patrole_tempest_plugin/tests/api/volume/rbac_base.py
@@ -14,12 +14,14 @@
 from tempest.api.volume import base as vol_base
 from tempest import config

+from patrole_tempest_plugin.rbac_utils import rbac_utils
+
 CONF = config.CONF


 class BaseVolumeRbacTest(vol_base.BaseVolumeTest):

-    credentials = ['primary', 'admin']
+    credentials = ['admin']

    @classmethod
    def skip_checks(cls):
@@ -27,20 +29,23 @@ class BaseVolumeRbacTest(vol_base.BaseVolumeTest):
        if not CONF.rbac.rbac_flag:
            raise cls.skipException(
                "%s skipped as RBAC Flag not enabled" % cls.__name__)
-        if 'admin' not in CONF.auth.tempest_roles:
-            raise cls.skipException(
-                "%s skipped because tempest roles is not admin" % cls.__name__)
+
+    @classmethod
+    def setup_credentials(cls):
+        super(BaseVolumeRbacTest, cls).setup_credentials()
+        cls.os = cls.os_adm

    @classmethod
    def setup_clients(cls):
        super(BaseVolumeRbacTest, cls).setup_clients()
        cls.auth_provider = cls.os.auth_provider
        cls.admin_client = cls.os_adm.volumes_client
+        cls.rbac_utils = rbac_utils()


 class BaseVolumeAdminRbacTest(vol_base.BaseVolumeAdminTest):

-    credentials = ['primary', 'admin']
+    credentials = ['admin']

    @classmethod
    def skip_checks(cls):
@@ -48,12 +53,15 @@ class BaseVolumeAdminRbacTest(vol_base.BaseVolumeAdminTest):
        if not CONF.rbac.rbac_flag:
            raise cls.skipException(
                "%s skipped as RBAC Flag not enabled" % cls.__name__)
-        if 'admin' not in CONF.auth.tempest_roles:
-            raise cls.skipException(
-                "%s skipped because tempest roles is not admin" % cls.__name__)
+
+    @classmethod
+    def setup_credentials(cls):
+        super(BaseVolumeAdminRbacTest, cls).setup_credentials()
+        cls.os = cls.os_adm

    @classmethod
    def setup_clients(cls):
        super(BaseVolumeAdminRbacTest, cls).setup_clients()
        cls.auth_provider = cls.os.auth_provider
        cls.admin_client = cls.os_adm.volumes_client
+        cls.rbac_utils = rbac_utils()
--- a/patrole_tempest_plugin/tests/api/volume/test_availability_zone_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_availability_zone_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -31,12 +30,12 @@ class AvailabilityZoneRbacTest(rbac_base.BaseVolumeRbacTest):
        cls.client = cls.availability_zone_client

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(AvailabilityZoneRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="cinder",
                                 rule="volume:availability_zone_list")
    @decorators.idempotent_id('8cfd920c-4b6c-402d-b6e2-ede86bedc702')
    def test_get_availability_zone_list(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_availability_zones()
--- a/patrole_tempest_plugin/tests/api/volume/test_extensions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_extensions_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -26,14 +25,14 @@ CONF = config.CONF
 class ExtensionsRbacTest(rbac_base.BaseVolumeRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(ExtensionsRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="cinder",
                                 rule="volume:list_extensions")
    @decorators.idempotent_id('7f2dcc41-e850-493f-a400-82db4e2b50c0')
    def test_list_extensions(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.volumes_extension_client.list_extensions()


--- a/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_actions_rbac.py
@@ -19,7 +19,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -40,7 +39,7 @@ class SnapshotsActionsRbacTest(rbac_base.BaseVolumeRbacTest):
        cls.client = cls.os.snapshots_client

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(SnapshotsActionsRbacTest, self).tearDown()

    @classmethod
@@ -59,7 +58,7 @@ class SnapshotsActionsRbacTest(rbac_base.BaseVolumeRbacTest):
    def test_reset_snapshot_status(self):
        # Reset snapshot status to error
        status = 'error'
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.\
            reset_snapshot_status(self.snapshot['id'], status)

@@ -73,7 +72,7 @@ class SnapshotsActionsRbacTest(rbac_base.BaseVolumeRbacTest):
        # and force delete temp snapshot
        temp_snapshot = self.create_snapshot(self.volume['id'])
        # Force delete the snapshot
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.force_delete_snapshot(temp_snapshot['id'])
        self.client.wait_for_resource_deletion(temp_snapshot['id'])

--- a/patrole_tempest_plugin/tests/api/volume/test_snapshots_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_snapshots_metadata_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -32,7 +31,7 @@ class SnapshotMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
            raise cls.skipException("Cinder snapshot feature disabled")

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(SnapshotMetadataRbacTest, self).tearDown()

    @classmethod
@@ -58,7 +57,7 @@ class SnapshotMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('c9cbec1c-edfe-46b8-825b-7b6ac0a58c25')
    def test_create_snapshot_metadata(self):
        # Create metadata for the snapshot
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_test_snapshot_metadata()

    @rbac_rule_validation.action(service="cinder",
@@ -68,7 +67,7 @@ class SnapshotMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
        # Create volume and snapshot metadata
        self._create_test_snapshot_metadata()
        # Get metadata for the snapshot
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.snapshots_client.show_snapshot_metadata(
            self.snapshot_id)

@@ -80,7 +79,7 @@ class SnapshotMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
        # Create volume and snapshot metadata
        self._create_test_snapshot_metadata()
        # Get metadata for the snapshot
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Get the metadata of the snapshot
        self.snapshots_client.show_snapshot_metadata(
            self.snapshot_id)['metadata']
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_actions_rbac.py
@@ -20,7 +20,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -47,7 +46,7 @@ class VolumesActionsRbacTest(rbac_base.BaseVolumeRbacTest):
        cls.image_client = cls.os.image_client

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumesActionsRbacTest, self).tearDown()

    @classmethod
@@ -72,7 +71,7 @@ class VolumesActionsRbacTest(rbac_base.BaseVolumeRbacTest):
    @rbac_rule_validation.action(service="cinder", rule="volume:attach")
    @decorators.idempotent_id('f97b10e4-2eed-4f8b-8632-71c02cb9fe42')
    def test_attach_volume_to_instance(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Attach the volume
        self._attach_volume()

@@ -81,14 +80,14 @@ class VolumesActionsRbacTest(rbac_base.BaseVolumeRbacTest):
    def test_detach_volume_to_instance(self):
        # Attach the volume
        self._attach_volume()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Detach the volume
        self._detach_volume()

    @rbac_rule_validation.action(service="cinder", rule="volume:get")
    @decorators.idempotent_id('c4c3fdd5-b1b1-49c3-b977-a9f40ee9257a')
    def test_get_volume_attachment(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Get attachment
        self.client.show_volume(self.volume['id'])

@@ -97,7 +96,7 @@ class VolumesActionsRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('b0d0da46-903c-4445-893e-20e680d68b50')
    def test_volume_upload(self):
        image_name = data_utils.rand_name('image')
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        body = self.client.upload_volume(
            self.volume['id'], image_name=image_name,
            disk_format=CONF.volume.disk_format)['os-volume_upload_image']
@@ -112,7 +111,7 @@ class VolumesActionsRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('2750717a-f250-4e41-9e09-02624aad6ff8')
    def test_volume_readonly_update(self):
        volume = self.create_volume()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Update volume readonly
        self.client.update_volume_readonly(volume['id'], readonly=True)

--- a/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_create_delete_rbac.py
@@ -21,7 +21,6 @@ from tempest.lib import exceptions

 from patrole_tempest_plugin import rbac_exceptions
 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -31,7 +30,7 @@ LOG = logging.getLogger(__name__)
 class CreateDeleteVolumeRbacTest(rbac_base.BaseVolumeRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(CreateDeleteVolumeRbacTest, self).tearDown()

    def _create_volume(self):
@@ -45,7 +44,7 @@ class CreateDeleteVolumeRbacTest(rbac_base.BaseVolumeRbacTest):
                                 rule="volume:create")
    @decorators.idempotent_id('426b08ef-6394-4d06-9128-965d5a6c38ef')
    def test_create_volume(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Create a volume
        self._create_volume()

@@ -56,7 +55,7 @@ class CreateDeleteVolumeRbacTest(rbac_base.BaseVolumeRbacTest):
        try:
            # Create a volume
            volume = self._create_volume()
-            rbac_utils.switch_role(self, switchToRbacRole=True)
+            self.rbac_utils.switch_role(self, switchToRbacRole=True)
            # Delete a volume
            self.volumes_client.delete_volume(volume['id'])
        except exceptions.NotFound as e:
--- a/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_metadata_rbac.py
@@ -19,7 +19,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -33,7 +32,7 @@ class VolumeMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
        cls.client = cls.os.volumes_client

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumeMetadataRbacTest, self).tearDown()

    def _add_metadata(self, volume):
@@ -50,7 +49,7 @@ class VolumeMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('232bbb8b-4c29-44dc-9077-b1398c20b738')
    def test_create_volume_metadata(self):
        volume = self.create_volume()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._add_metadata(volume)

    @rbac_rule_validation.action(service="cinder",
@@ -59,7 +58,7 @@ class VolumeMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
    def test_get_volume_metadata(self):
        volume = self.create_volume()
        self._add_metadata(volume)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.volumes_client.show_volume_metadata(volume['id'])['metadata']

    @rbac_rule_validation.action(service="cinder",
@@ -68,7 +67,7 @@ class VolumeMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
    def test_delete_volume_metadata(self):
        volume = self.create_volume()
        self._add_metadata(volume)
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.volumes_client.delete_volume_metadata_item(volume['id'],
                                                        "key1")

@@ -80,7 +79,7 @@ class VolumeMetadataRbacTest(rbac_base.BaseVolumeRbacTest):
        self._add_metadata(volume)
        # Metadata to update
        update_item = {"key3": "value3_update"}
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.volumes_client.update_volume_metadata_item(
            volume['id'], "key3", update_item)['meta']

--- a/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volume_transfers_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import test_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -27,7 +26,7 @@ CONF = config.CONF

 class VolumesTransfersRbacTest(rbac_base.BaseVolumeRbacTest):

-    credentials = ['primary', 'alt', 'admin']
+    credentials = ['alt', 'admin']

    @classmethod
    def setup_clients(cls):
@@ -37,7 +36,7 @@ class VolumesTransfersRbacTest(rbac_base.BaseVolumeRbacTest):
        cls.alt_tenant_id = cls.alt_client.tenant_id

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumesTransfersRbacTest, self).tearDown()

    @classmethod
@@ -64,7 +63,7 @@ class VolumesTransfersRbacTest(rbac_base.BaseVolumeRbacTest):
                                 rule="volume:create_transfer")
    @decorators.idempotent_id('25413af4-468d-48ff-94ca-4436f8526b3e')
    def test_create_volume_transfer(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._create_transfer()

    @rbac_rule_validation.action(service="cinder",
@@ -72,14 +71,14 @@ class VolumesTransfersRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('7a0925d3-ed97-4c25-8299-e5cdabe2eb55')
    def test_get_volume_transfer(self):
        transfer = self._create_transfer()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_volume_transfer(transfer['id'])

    @rbac_rule_validation.action(service="cinder",
                                 rule="volume:get_all_transfers")
    @decorators.idempotent_id('02a06f2b-5040-49e2-b2b7-619a7db59603')
    def test_list_volume_transfers(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_volume_transfers()

    @rbac_rule_validation.action(service="cinder",
@@ -87,7 +86,7 @@ class VolumesTransfersRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('987f2a11-d657-4984-a6c9-28f06c1cd014')
    def test_accept_volume_transfer(self):
        transfer = self._create_transfer()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.accept_volume_transfer(transfer['id'],
                                           auth_key=transfer['auth_key'])

@@ -96,7 +95,7 @@ class VolumesTransfersRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('4672187e-7fff-454b-832a-5c8865dda868')
    def test_delete_volume_transfer(self):
        transfer = self._create_transfer()
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.delete_volume_transfer(transfer['id'])


--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_backup_rbac.py
@@ -19,7 +19,6 @@ from tempest.lib.common.utils import data_utils
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -34,7 +33,7 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
            raise cls.skipException("Cinder backup feature disabled")

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumesBackupsRbacTest, self).tearDown()

    def create_backup(self, volume_id):
@@ -56,7 +55,7 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
                                 rule="backup:create")
    @decorators.idempotent_id('6887ec94-0bcf-4ab7-b30f-3808a4b5a2a5')
    def test_volume_backup_create(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.create_backup(volume_id=self.volume['id'])

    @rbac_rule_validation.action(service="cinder",
@@ -66,14 +65,14 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
        # Create a temp backup
        backup = self.create_backup(volume_id=self.volume['id'])
        # Get a given backup
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.backups_client.show_backup(backup['id'])

    @rbac_rule_validation.action(service="cinder",
                                 rule="backup:get_all")
    @decorators.idempotent_id('4d18f0f0-7e01-4007-b622-dedc859b22f6')
    def test_volume_backup_list(self):
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.backups_client.list_backups()

    @rbac_rule_validation.action(service="cinder",
@@ -83,7 +82,7 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
        # Create a temp backup
        backup = self.create_backup(volume_id=self.volume['id'])
        # Restore backup
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.backups_client.restore_backup(backup['id'])['restore']

    @rbac_rule_validation.action(service="cinder",
@@ -92,7 +91,7 @@ class VolumesBackupsRbacTest(rbac_base.BaseVolumeRbacTest):
    def test_volume_backup_delete(self):
        # Create a temp backup
        backup = self.create_backup(volume_id=self.volume['id'])
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Delete backup
        self.backups_client.delete_backup(backup['id'])

--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_extend_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_extend_rbac.py
@@ -18,7 +18,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -27,7 +26,7 @@ CONF = config.CONF
 class VolumesExtendRbacTest(rbac_base.BaseVolumeRbacTest):

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumesExtendRbacTest, self).tearDown()

    @classmethod
@@ -41,7 +40,7 @@ class VolumesExtendRbacTest(rbac_base.BaseVolumeRbacTest):
    def test_volume_extend(self):
        # Extend volume test
        extend_size = int(self.volume['size']) + 1
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.volumes_client.extend_volume(self.volume['id'],
                                          new_size=extend_size)
        waiters.wait_for_volume_status(self.volumes_client, self.volume['id'],
--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_list_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -31,7 +30,7 @@ class VolumesListRbacTest(rbac_base.BaseVolumeRbacTest):
        cls.client = cls.os.volumes_client

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumesListRbacTest, self).tearDown()

    @rbac_rule_validation.action(service="cinder",
@@ -39,7 +38,7 @@ class VolumesListRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('e3ab7906-b04b-4c45-aa11-1104d302f940')
    def test_volume_list(self):
        # Get a list of Volumes
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_volumes()

    @rbac_rule_validation.action(
@@ -48,7 +47,7 @@ class VolumesListRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('3d48ca91-f02b-4616-a69d-4a8b296c8529')
    def test_volume_list_image_metadata(self):
        # Get a list of Volumes
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.list_volumes(detail=True)


--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_rbac.py
@@ -19,7 +19,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -34,7 +33,7 @@ class VolumesRbacTest(rbac_base.BaseVolumeRbacTest):
        cls.client = cls.volumes_client

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumesRbacTest, self).tearDown()

    @rbac_rule_validation.action(
@@ -44,7 +43,7 @@ class VolumesRbacTest(rbac_base.BaseVolumeRbacTest):
    def test_volume_reset_status(self):
        volume = self.create_volume()
        # Test volume reset status : available->error->available
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.reset_volume_status(volume['id'], status='error')
        self.client.reset_volume_status(volume['id'], status='available')

@@ -56,7 +55,7 @@ class VolumesRbacTest(rbac_base.BaseVolumeRbacTest):
        volume = self.create_volume()
        self.client.reset_volume_status(volume['id'], status='error')
        # Test force delete when status of volume is error
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.force_delete_volume(volume['id'])
        self.client.wait_for_resource_deletion(volume['id'])

--- a/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
+++ b/patrole_tempest_plugin/tests/api/volume/test_volumes_snapshots_rbac.py
@@ -17,7 +17,6 @@ from tempest import config
 from tempest.lib import decorators

 from patrole_tempest_plugin import rbac_rule_validation
-from patrole_tempest_plugin.rbac_utils import rbac_utils
 from patrole_tempest_plugin.tests.api.volume import rbac_base

 CONF = config.CONF
@@ -31,7 +30,7 @@ class VolumesSnapshotRbacTest(rbac_base.BaseVolumeRbacTest):
        cls.client = cls.snapshots_client

    def tearDown(self):
-        rbac_utils.switch_role(self, switchToRbacRole=False)
+        self.rbac_utils.switch_role(self, switchToRbacRole=False)
        super(VolumesSnapshotRbacTest, self).tearDown()

    @classmethod
@@ -66,7 +65,7 @@ class VolumesSnapshotRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('ac7b2ee5-fbc0-4360-afc2-de8fa4881ede')
    def test_snapshot_create(self):
        # Create a temp snapshot
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.create_snapshot(self.volume['id'])

    @rbac_rule_validation.action(service="cinder",
@@ -74,7 +73,7 @@ class VolumesSnapshotRbacTest(rbac_base.BaseVolumeRbacTest):
    @decorators.idempotent_id('93a11b40-1ba8-44d6-a196-f8d97220f796')
    def test_snapshot_get(self):
        # Get the snapshot
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.show_snapshot(self.snapshot
                                  ['id'])['snapshot']

@@ -85,7 +84,7 @@ class VolumesSnapshotRbacTest(rbac_base.BaseVolumeRbacTest):
        new_desc = 'This is the new description of snapshot.'
        params = {self.descrip_field: new_desc}
        # Updates snapshot with new values
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self.client.update_snapshot(
            self.snapshot['id'], **params)['snapshot']

@@ -96,7 +95,7 @@ class VolumesSnapshotRbacTest(rbac_base.BaseVolumeRbacTest):
        """list snapshots with params."""
        # Verify list snapshots by display_name filter
        params = {self.name_field: self.snapshot[self.name_field]}
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        self._list_by_param_values(params)

    @rbac_rule_validation.action(service="cinder",
@@ -105,7 +104,7 @@ class VolumesSnapshotRbacTest(rbac_base.BaseVolumeRbacTest):
    def test_snapshot_delete(self):
        # Create a temp snapshot
        temp_snapshot = self.create_snapshot(self.volume['id'])
-        rbac_utils.switch_role(self, switchToRbacRole=True)
+        self.rbac_utils.switch_role(self, switchToRbacRole=True)
        # Delete the snapshot
        self.client.delete_snapshot(temp_snapshot['id'])

--- a/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
+++ b/patrole_tempest_plugin/tests/unit/test_rbac_utils.py
@@ -13,187 +13,47 @@
 #    License for the specific language governing permissions and limitations
 #    under the License.

-import json
 import mock

+from tempest.lib import exceptions as lib_exc
 from tempest.tests import base

 from patrole_tempest_plugin import rbac_exceptions
-from patrole_tempest_plugin import rbac_utils as utils
+from patrole_tempest_plugin import rbac_utils


 class RBACUtilsTest(base.TestCase):
    def setUp(self):
        super(RBACUtilsTest, self).setUp()
-        self.rbac_utils = utils.RbacUtils
+        mock_creds_provider = mock.patch.object(
+            rbac_utils, 'credentials_factory').start()
+        mock_creds_provider.get_credentials_provider.return_value.\
+            creds_client.roles_client.list_roles.return_value.\
+            __getitem__.return_value = [
+                {'name': 'admin', 'id': 'admin_id'},
+                {'name': 'Member', 'id': 'member_id'}
+            ]
+        self.rbac_utils = rbac_utils.rbac_utils()

-    get_response = 200
-    put_response = 204
-    delete_response = 204
-    response_data = json.dumps({"roles": []})
-
-    def _response_side_effect(self, action, *args, **kwargs):
-        response = mock.MagicMock()
-        if action == "GET":
-            response.status = self.get_response
-            response.data = self.response_data
-        if action == "PUT":
-            response.status = self.put_response
-        if action == "DELETE":
-            response.status = self.delete_response
-        return response
-
-    @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.http')
-    def test_RBAC_utils_get_roles(self, http, config):
-        self.rbac_utils.dictionary = {}
-
-        caller = mock.Mock()
-        caller.admin_client.token = "test_token"
-
-        http.request.side_effect = self._response_side_effect
-
-        self.assertEqual({'admin_role_id': None, 'rbac_role_id': None},
-                         self.rbac_utils.get_roles(caller))
-
-    @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.http')
-    def test_RBAC_utils_get_roles_member(self, http, config):
-        self.rbac_utils.dictionary = {}
-
-        caller = mock.Mock()
-        caller.admin_client.token = "test_token"
-
-        self.response_data = json.dumps({'roles': [{'name': '_member_',
-                                         'id': '_member_id'}]})
-        http.request.side_effect = self._response_side_effect
-
-        config.rbac.rbac_test_role = '_member_'
-
-        self.assertEqual({'admin_role_id': None,
-                          'rbac_role_id': '_member_id'},
-                         self.rbac_utils.get_roles(caller))
-
-    @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.http')
-    def test_RBAC_utils_get_roles_admin(self, http, config):
-        self.rbac_utils.dictionary = {}
-
-        caller = mock.Mock()
-        caller.admin_client.token = "test_token"
-
-        self.response_data = json.dumps({'roles': [{'name': 'admin',
-                                         'id': 'admin_id'}]})
-
-        http.request.side_effect = self._response_side_effect
-
-        config.rbac.rbac_test_role = 'admin'
-
-        self.assertEqual({'admin_role_id': 'admin_id',
-                          'rbac_role_id': 'admin_id'},
-                         self.rbac_utils.get_roles(caller))
-
-    @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.http')
-    def test_RBAC_utils_get_roles_admin_not_role(self, http, config):
-        self.rbac_utils.dictionary = {}
-
-        caller = mock.Mock()
-        caller.admin_client.token = "test_token"
-
-        self.response_data = json.dumps(
-            {'roles': [{'name': 'admin', 'id': 'admin_id'}]}
-        )
-        http.request.side_effect = self._response_side_effect
-
-        self.assertEqual({'admin_role_id': 'admin_id', 'rbac_role_id': None},
-                         self.rbac_utils.get_roles(caller))
-
-    def test_RBAC_utils_get_existing_roles(self):
-        self.rbac_utils.dictionary = {'admin_role_id': None,
-                                      'rbac_role_id': None}
-
-        self.assertEqual({'admin_role_id': None, 'rbac_role_id': None},
-                         self.rbac_utils.get_roles(None))
-
-    @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.http')
-    def test_RBAC_utils_get_roles_response_404(self, http, config):
-        self.rbac_utils.dictionary = {}
-
-        caller = mock.Mock()
-        caller.admin_client.token = "test_token"
-
-        http.request.side_effect = self._response_side_effect
-        self.get_response = 404
-
-        self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
-                          self.rbac_utils.get_roles, caller)
-        self.get_response = 200
-
-    def test_RBAC_utils_switch_roles_none(self):
-        self.assertIsNone(self.rbac_utils.switch_role(None))
-
-    @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.RbacUtils.get_roles')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.http')
-    def test_RBAC_utils_switch_roles_member(self, http,
-                                            get_roles, config):
-        get_roles.return_value = {'admin_role_id': None,
-                                  'rbac_role_id': '_member_id'}
+    def test_rbac_utils_switch_roles_none(self):
+        self.assertRaises(rbac_exceptions.RbacActionFailed,
+                          self.rbac_utils.switch_role, None)

+    def test_rbac_utils_switch_roles_false(self):
        self.auth_provider = mock.Mock()
        self.auth_provider.credentials.user_id = "user_id"
        self.auth_provider.credentials.tenant_id = "tenant_id"
        self.admin_client = mock.Mock()
        self.admin_client.token = "admin_token"
-
-        http.request.side_effect = self._response_side_effect
-
-        self.assertIsNone(self.rbac_utils.switch_role(self, "_member_"))
-
-    @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.RbacUtils.get_roles')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.http')
-    def test_RBAC_utils_switch_roles_false(self, http,
-                                           get_roles, config):
-        get_roles.return_value = {'admin_role_id': None,
-                                  'rbac_role_id': '_member_id'}
-
-        self.auth_provider = mock.Mock()
-        self.auth_provider.credentials.user_id = "user_id"
-        self.auth_provider.credentials.tenant_id = "tenant_id"
-        self.admin_client = mock.Mock()
-        self.admin_client.token = "admin_token"
-
-        http.request.side_effect = self._response_side_effect
-
        self.assertIsNone(self.rbac_utils.switch_role(self, False))

-    @mock.patch('patrole_tempest_plugin.rbac_utils.CONF')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.RbacUtils.get_roles')
-    @mock.patch('patrole_tempest_plugin.rbac_utils.http')
-    def test_RBAC_utils_switch_roles_get_roles_fails(self, http,
-                                                     get_roles, config):
-        get_roles.return_value = {'admin_role_id': None,
-                                  'rbac_role_id': '_member_id'}
-
+    def test_rbac_utils_switch_roles_get_roles_fails(self):
        self.auth_provider = mock.Mock()
        self.auth_provider.credentials.user_id = "user_id"
        self.auth_provider.credentials.tenant_id = "tenant_id"
        self.admin_client = mock.Mock()
        self.admin_client.token = "admin_token"
-
-        self.get_response = 404
-
-        self.assertRaises(rbac_exceptions.RbacResourceSetupFailed,
-                          self.rbac_utils.switch_role, self, False)
-
-        self.get_response = 200
-
-    @mock.patch('patrole_tempest_plugin.rbac_utils.RbacUtils.get_roles')
-    def test_RBAC_utils_switch_roles_exception(self, get_roles):
-        get_roles.return_value = {'admin_role_id': None,
-                                  'rbac_role_id': '_member_id'}
-        self.assertRaises(AttributeError, self.rbac_utils.switch_role,
-                          self, "admin")
+        self.rbac_utils.creds_client.roles_client.create_user_role_on_project.\
+            side_effect = lib_exc.NotFound
+        self.assertRaises(lib_exc.NotFound, self.rbac_utils.switch_role, self,
+                          False)